Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Microsoft

Hotmail Hacked 494

SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.
This discussion has been archived. No new comments can be posted.

Hotmail Hacked

Comments Filter:
  • Again? (Score:3, Funny)

    by SilLumTao ( 134743 ) on Monday August 20, 2001 @06:33PM (#2199808) Homepage
    Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail.


    Score: -1, Redundant

  • by Chagrin ( 128939 ) on Monday August 20, 2001 @06:36PM (#2199830) Homepage

    • "The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.

    I suppose the quux is whether I'm an "average person" or not. I think I'll go stand in the street to hedge my bets.
  • *whew* Good thing I still have all those y2k
    supplies.
  • No no no (Score:2, Interesting)

    by sllort ( 442574 )
    "In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said."

    Bring me these experts. If someone thinks my hotmail account(s) leave a clear trail to me, they're insane. They leave a clear trail to my web proxy, perhaps. Most of my accounts only ever receive one email too... "Slashdot password for user Vladinat0r"

    Sigh. Experts indeed!
    • No kidding. Yeah, every time I feel like doing something that could be potentially illegal I always use my own Hotmail account. And of course I've put my name, home address, and phone number into this account's information. Not to mention the fact that I'll do it from my home or office computer with a nice and easily traceable IP back to me.

      Other tidbits I liked:

      In order for intruders to access a Hotmail user's emails, they would need to know the victim's user name and then guess the number that identifies a specific email message.

      Lessee now, who would most people be targeting: random users or specific family, friends, or enemies who they already have an address for? Not to mention the thousands, if not millions, of Hotmail addresses that could be reaped with a simple search.

      "The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.

      Hey, Average Joe! Got any enemies who might be interested in reading your mail?

      Root Core has posted on its website a scanning program that automatically guesses about one message number every second. But security experts said the program's impact is limited because, in order to work, an intruder would need to have a fast Internet connection and know how often the targeted victim checks their email account.

      I wonder how many script kiddies are out there sitting next to their cable or DSL modems sniggering into their milk right now?

      ----------

      Digital Pants...ACTIVATE!

  • by Imperator ( 17614 ) <slashdot2&omershenker,net> on Monday August 20, 2001 @06:37PM (#2199838)
    You need to guess the message ID, a longish string based on a timestamp and another number. And once you do that, you still can't read other messages from that account unless you guess them separately. You could try brute-forcing the message IDs, of course, but then you're relying on a fast connection (I believe there are 60 possible message IDs per second, and you rarely know exactly when a message was processed anyway) and fast servers. Besides, after all this, you'll probably find that all the target account's real mail was automatically deleted to make room for WinXP.iso.bat, attached to a message asking for advice.
    • by MaxwellStreet ( 148915 ) on Monday August 20, 2001 @06:54PM (#2199944)
      Exactly.

      This isn't the "major" security hole that the slashdot submission suggested.

      It would take a minor miracle to guess a message number correctly.

      And considering what *I* use hotmail for, namely, a spam catcher, any hacker that got lucky enough would probably discover yet another way to get rich quick. If someone really wanted to read my email there, they could keep trying - but their hotmail username (at very least) would be recorded.

      I don't mean to pooh-pooh this issue; but I think editorializing this into a *major* security problem (a la Code Red) is a little disingenuous, and misguided.

      • by aralin ( 107264 ) on Monday August 20, 2001 @07:35PM (#2200135)
        It would take a minor miracle to guess a message number correctly.

        Actually... not... there is only 86400 seconds in a day and you need to worry about aprox first 100 messege numbers which makes it under ten million hits required to read your whole day correspondence. And the effectivity can be increased with clever algorithm so I will have most of them after first million.

        In other words, a nice perl script that will take me about 1-2 hours to write will every day fetch all your mail without even making my computer sweat. :)

        What kind of miracle is that? And shall I be proclaimed saint for performing such miracles?

        • But when you start to consider that the super-duper-top-secret algorithm for encoding message numbers constitutes "encryption" according to some, then it's protected under the DMCA.

          You have just published a "Circumvention Algorithm."

          Shame on you. No doubt the FBI is on their way to your house to slap you on the wrists with wet noodles. Oops, I mean slap you in irons. The wet noodles are for Microsoft under the new Punitive Actions for the antitrust suit.
        • If you want my hotmail password that bad, just ask. I'll send it to you and save you the trouble.
      • but their hotmail username (at very least) would be recorded.

        And we all know how hard those are to get.

        It's not like they make you produce a stamped letter from a notary public, or even enter a credit card number, before they give you an account. Or did you really think that suzi3952@hotmail.com (the hot young co-ed) was a real person?
        • Or did you really think that suzi3952@hotmail.com (the hot young co-ed) was a real person?

          Of course she is. She just happens to be a 37 year old man sitting around at home in his dirty underwear.

      • And considering what *I* use hotmail for, namely, a spam catcher, any hacker that got lucky enough would probably discover yet another way to get rich quick.
        Yeah, but that message was meant for me! I don't want some no-good cracker to get rich quick by hacking my Hotmail account!
  • by kcbrown ( 7426 ) <slashdot@sysexperts.com> on Monday August 20, 2001 @06:39PM (#2199845)

    % telnet www.hotmail.com 80
    Trying 64.4.43.7...
    Connected to 64.4.43.7.
    Escape character is '^]'.
    GET /root.exe
    What is thy bidding, my master?


    Guess they haven't gotten rid of Code Red yet! :-)

    (For the humor impaired: no, I did not actually do the telnet session.)
  • Oh no (Score:4, Insightful)

    Now anyone can get in and read all the porn ads I get in my hotmail inbox.
  • Hotmail is predictable. Down, insecure, loses messages. You can count on it to fail you. I've been using Hotmail for a few years now and cannot remember a time when it was as bad as it is now! Slow, lost Body portions of the messages...cannot connect...

    I'm glad for Onebox and my regular email accounts.

    Sure, some would say, "It's free; shut up!" But: MS is __still__ claiming to provide a service even though there is no direct cost to me. That there's no cost doesn't mean I don't expect the service to be useable. My recourse is to leave. Is that what MS wants?

    Oh, as an aside, I hope the message #292192399 bug is never fixed - "Imagine if there's no First Posts...It's easy if you try..."

  • by Bonker ( 243350 ) on Monday August 20, 2001 @06:40PM (#2199854)
    A monopoly is a scary thing.

    Despite the fact that MS beleives very firmly in a security through obscurity model of business, they have both benevolent and malcious hackers and crackers world wide working to expose as many of their security holes as possible, thereby forcing MS to patch those holes. Code Red would still be unpatched if eEye hadn't released it's exploit POC. This exploit would still be out in the open and freely abuseable if it hadn't been released.

    Since MS is the 'standard' for most internet users, it's also the recipient of all the world's security unsolicited security advice.
  • Go with Yahoo! Mail. (Score:2, Informative)

    by boinger ( 4618 )
    Yahoo! Mail [slashdot.org] has never had such a flaw exposed, has it?

    And Yahoo! Messenger kicks AIM's and MSN Messenger's asses.

    Why tempt fate?

  • by tre ( 172905 ) on Monday August 20, 2001 @06:43PM (#2199874) Homepage
    blah blah, we expect this from MS... blah blah, when will they get their act together...

    This was already posted to BugTraq [securityfocus.com] not too long ago. For a more technical breakdown of the details surrounding the Hotmail vulnerability, go here:

    http://www.securityfocus.com/archive/1/205785 [securityfocus.com]
  • PLEASE! (Score:2, Funny)

    by plemeljr ( 250971 )
    * Will someone please think of the children! *
  • by ddstreet ( 49825 ) <ddstreet AT ieee DOT org> on Monday August 20, 2001 @06:44PM (#2199879) Homepage
    ...is priceless:


    "However," Microsoft said, "we recognize the concerns raised in the computational infeasibility of this mechanism and are investigating ways that we can raise this bar even higher."


    Like Taco said...you just can't make this stuff up. That response is just too funny.

  • universal variables (Score:2, Interesting)

    by Traicovn ( 226034 )
    The more parts of a program you have refferencing any single variable in programming C/C++, the more chance for a margin of error you have

    Security works the same way. The more places you use a key, or the more people you give a copy of your key to, the higher risk you have for errors, being hacked, identiy theft, being robbed, etc. A 'single sign-on' like the MSN/Hotmail passport or AOL's new Single-Signon or Screenname (not sure what they are calling it) that all AIM accounts/AOL accounts now have become are just another invitation of risk.

    Users need to be alerted of this fact, that these systems may not be secure, and users need to understand that the more people who they use their single sign-on for, the higher the risk becomes.

    In this situation though, you have to wonder. If the person issuing the 'keys', microsoft in this case, does not do a good job of protecting them and making sure that their security is up to date, can it be any better than if you had a safe deposit box that sat unlocked in the middle of Times Square?

    I can't wait to see what happens when in addition to all these Single Sign-on and Passport type programs, that we have Digital Signatures too. That should be interesting.
  • Wern't they hacked a little while ago? Something about passwords or usernames or something?

    I'm glad I stopped using them years ago, when M$ took over. I kinda new that their service was going down.

    Lets see, they were hacked once, then the red worm did a little damage, now they are hacked again... hmm can't wait for .net, so that everyone can read my design documents. hmm do you think they 'll have local or remote storage with .net???

    It's to bad that they are such a hackers target and they do little in the way of security. I wonder how strong the M$ firewall will be in XP..

    I know it may seem a bit trollish, and would be suprised if someone did not ask quesitons, but then again there are those that follow blindly.. Are you a sheep or a wolf?

  • Im so glad they found this flaw (one which from the reading isnt all that new) as now we know that our hotmail can be read by anyone - how ? well the kind hearted uber skilled hackers didn't just post this to MS did they ? naaah they posted ot everywhere - its the talk of IRC etc etc.

    Im so glad hackers keep 'finding' things, like credit card numbers, ways into banking systems, viruses like code red - makes me feel warm and fuzzy.

    My question - not to be a troll - is this (and this does not just relate to MS products but im asking a serious question)

    if this security flaw had not been found (by these guys looking for a way to break into hotmail to read peoples mail) would anyone have been affected ? i mean if the flaw had to be looked for with carefull thought etc then was it a real serious issue BEFORE these guys told everyone ?

    networks can have flaws and holes, open ports etc left active by a careless admin - not the best i know but big systems have a lot of work and these days we are coping with less staff (i know my company is) so sometimes things slip through.

    But these guys go and look for the exploit (i mean what other reason would you have to search for this exploit BUT to be able to hack in and read mail? and then why tell everyone?

    These things need to be fixed i agree but if no one wold know they were there expect for some kindly souls seeking them out then how much of an issue are they ? Are we just accepting that hackers are a good thing cause they find these problems ? what will you think when they 'fin' that flaw in the company which has your credit card number ?
    • Re:'Found it' ? (Score:5, Insightful)

      by DNS-and-BIND ( 461968 ) on Monday August 20, 2001 @07:13PM (#2200056) Homepage
      If you don't tell anyone, the flaw is still there. Only, if you don't tell anyone about the flaw, only the bad guys know about it. The piece below written in 1853 by Charles Tomlinson, and is only an excerpt of the the treatise, but it shows that people recognized that 'security' through thwarting the exchange of knowledge of flaws was not really security at all, waaaay before the digital age.

      Rudimentary Treatise on the Construction of Locks



      A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquintance with real facts will, in the end, be better for all parties.

      Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear -- milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.

      ...The unscrupulous have the command of much of this kind of knowledge without our aid; and there is moral and commercial justice in placing on their guard those who might possibly suffer therefrom. We employ these stray expressions concerning adulteration, debasement, roguery, and so forth, simply as a mode of illustrating a principle -- the advantage of publicity. In respect to lock-making, there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will posess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good.

      • yes i agree - of course - but Tomlinson (and i would say that you could find something related to a more modern era to back your point up) was not telling everyone in the world - his point is that the information may be used for bad and thats a good point - but talking about how to fix a lock and posting exploit code on every available place is hardly covered by this point - sure the flaw would be there - but unless someone went looking with malicious intent (and these guys were doing that trust me) then it would not pose a problem - i make no point as to whether this is right or wrong only that for these guys to claim they are 'helping' hotmail by telling them is invalidated by their telling everyone else as well - sort of like a guy yelling fire whilst hes holding a match.

        BTW tomlinson's treatise is very interseting and he was using it to say that just beacuse information may be used for wrong does not mean it should not be covered under freedom of speech, and thats a good poin, However from what i have read freedom of speech does not cover criminal actions and incitment to commit a criminal act - the knowing distribution of information designed to facilitate or encourage an act contrary to the law.

        Thats what these guys are doing - they set out to compromise a commercial system belonging to a private company with the aim of exploiting that system for their gain (fame, notoriety etc etc) - this is a crime no matter what they claim. They then spread the information in a way designed to allow people to gain access that system thus allowing them to cmmit the same crime - in effect making them accomplices.

        My point is these guys are not worthy of the attention and support they get. Thats my opinion anyway.

        But thanks for a great reply post - very well done and ineresting. and made me think - you may be right, i may be wrong , but thats what this place is all about
        • Well, it's like this...vendors do not fix things. Software can be horribly broken, and nothing will be done even though the vendor is fully aware of the problem. Vendors simply refuse to release the fix, because it will incur additional costs. Publically releasing the flaw and exploit methodology virtually ensures a timely fix. Otherwise, nothing would ever be fixed. Deal with support from a real provider for a year or two and it will all become clear.
          • I agree with that - i deal with vendors everyday - especially MS (im an MIS manager in an MS environment) but if you think they afe bad try SAP vendors - these guys make the CIA look friendly and easy to deal with.

            But you are correct vendors dont fix code and i agree its an issue and we should be telling them about flaws - but these guys told much more than them - if they had only told MS and bugtraq that would be fine, yet in this topic we have full details on the exploit and everyone on IRC and my ICQ contact know about it - it's all over the web, thus they are not just telling the vendors, or bugtraq or CERT but they are telling everyone how to hack a system - this makes them 'black hats' in my eyes (i hate that term !).

            All this sort of news does is bring publicity and cause the vendor to circle the wagons and deny everything - and they start another discussion on evil hackers (watch the TV - newsflash Hackers can read your mail) and obfuscate the fact that ALL systems have vulnerabilities - we all need to be aware of that. (not thats my opinion only)

            Another damn good point - i enjoy your posts man !
    • What you seem to be saying is that if the people hadn't reported it / found it, there would be no problem. This seems to imply you think they are the only ones capable of finding this particular hole.

      So if I see a dangerous condition -- say, a truck moving down the highway with a flat tire falling to pieces, or a leaking gasoline tank, or a fallen power line, or a boat coming unmoored, or a building with loose masonry, or a bad pothole, any number of things -- if I see any of these, rather than warn the public of the danger, better I should leave a note for the owner, who may be off on vacation and won't respond for several weeks? Am I supposed to be so worried that some lunatic might throw a match into the leaking gasoline that I say nothing at all?

      I think you need to bury your head in the sand a bit deeper, instead of surfacing now and then to say such silly things.
  • "Limited Scope" (Score:3, Insightful)

    by CMiYC ( 6473 ) on Monday August 20, 2001 @06:55PM (#2199952) Homepage
    Why does the media try to convince people that a "fast internet connection" is a limiting factor? It seems to me that many of the people who are script kiddies, or l33 d00z, or whatever, are people have some form of broadband. That's like saying "well cars are only dangerous if you drive a Porsche."
    • Because the difference between broadband and dialup connections are *considerably* greater than the differences between a "normal car" and a Porsche, particularly under typical road conditions.

      In terms of relative damage one can do, a better analogy might be comparing the damage potential of a kid on a bicycle compared to an 18-wheeler.

    • It's even possible, that they launch this attack not from their home account (which would be dumb anyway, ... ok they would), but from some server they have access to (maybe by having hacked it before), with a broadband connection. Just because the attacker is connected to the internet via an 56k modem doesn't mean the attack is launched via that line.

      But let's not get that in the way of Microsofts denying the relevance of this attack.
  • I will probably take a huge beating for saying this, but here it is. Although Microsoft has a long way to go in dealing with security issues, they are lightyears ahead of where they were only a few months ago. New tools to scan all the servers in the domain for patch levels of various vulnerabilities, fairly quick response time to notifications of vulnerabilities and no more "that's only a theoretical vulnerability" attitude.

    I am subscribed to their security notifications and there is an honest effort on their part to fix the problems. More shocking is the recognition they are giving to groups that expose these vulnerabilities - a 180 turn around how they used to desparage those who uncovered such problems.
  • Oh crap! (Score:3, Funny)

    by fobbman ( 131816 ) on Monday August 20, 2001 @07:00PM (#2199990) Homepage

    Thanks to Hotmail there are going to be a number of people out there now using my name to get valuable college degrees over the `net.


    Hopefully they'll be good sports and also get me a lower interest rate on my home.

  • All they'd see is SPAM!
    • form Horny1673_@somemadeupdomain.com Free Britney Spears Hardcore!
    • from Blah684yi8s@anothercrapdomain.com Consolodate your debt now!
    • from gr33r5s@hotmail.com Attract Men and Women

    And let's not forget...I send you this e-mail in order to have your advice. I have a hard enough time reading my e-mail. Good luck to all the crackers out there who want to read my e-mail. I even got spammed the other day by someone selling orthopedic in-soles for people with a "leg lenght discrepancy" now that is something I'm looking forward to more in the future, Niche Spam.
  • It's encrypted (with end-to-end encryption between HushMail users -- email sent to non-Hush accounts are only sent to Hush's servers unencryped), it's more secure. I'm not a Hush representative, but after using it for a few months, it's definitely the answer. (The question being, what's the best free email service?)

    J
  • by thrillbert ( 146343 ) on Monday August 20, 2001 @07:36PM (#2200138) Homepage
    I know that /. will probably get a nasty email asking them to remove this post, but I just feel the need to post this bit of information:

    NOTE: By following these directions you will be breaking the law.


    while (in_car(use *right_foot))\
    push(($pedal) to go [@REALLY_FAST]);

    I have had this information in my head for years, but felt it was time to inform the rest of you how to do it. Now I know I will be pursued by lawyers attempting to utilize the DMCA against me for revealing this information that the vehicle manufacturers did not want you to know... such is the life of a hacker...
  • Actually, I would think that it would be news if MS and Hotmail went without a hole being found for a year or two.

    But then, MS keeps messing with things.

    maybe that's what they are doing. Not so much fixing bugs, but practicing security by randoming shifting the bugs around.

    Sorta like Whack-a Mole

    ;-)

    - - -
    Radio Free Nation [radiofreenation.com]
    is a news site based on Slash Code
    "If You have a Story, We have a Soap Box"
    - - -

  • You know the kind of letters people write:

    "Dear Somebody-you-never-heard-of,
    How are you? I am fine. Blah-blah-blah, blah-blah, blah-blah.
    Yours Truly,
    Some Bozo."

    Big deal.
    --Homer Simpson
  • by mgkimsal2 ( 200677 ) on Monday August 20, 2001 @07:45PM (#2200160) Homepage
    I've authenticated with a username and password, yet the username is also being passed in the GET string? And no check is being done to compare the username in the GET string is the same as the username associated with my session ID? Why is doing that simple comparison so hard? It would certainly "raise the bar" even higher on the "infeasible computational" chances of this happening.

    This is similar to the Ameritech ebill security hole: no checking of user authentication - just GET any billing information with a *SEQUENTIAL* session ID in the GET string.

    If this is an example of the authentication they've planned for Hailstorm services, I think many more people may have second thoughts about quick adoption.

  • Is it still open? (Score:5, Interesting)

    by update() ( 217397 ) on Monday August 20, 2001 @07:54PM (#2200184) Homepage
    I'm not one of those people who starts gloating every time a Windows vulnerability appears, claiming it proves how awful Microsoft development is and how clearly inferior their products are to free alternatives. (How many holes in wu-ftpd do you need before that rings empty?)

    But to me, the most astounding betrayal of computer security ever was Microsoft's conduct during the last Hotmail breach. Not that it happened (could happen to anyone) or even that they didn't pull the plug days until days after the exploit was made public but that they kept going for hours after everyone had the URL for the backdoor.

    There was a great Salon article [salon.com] by a woman who heard about the breach on CNN, found the URL here and read her ex's new girlfriend's mail. I love the conclusion:

    Late Monday, Microsoft continued to downplay the Hotmail hack in a statement published by Reuters: "We're hoping that because we jumped on it so quickly no one was affected."

    Fat chance.

    I wonder if this time will be different...

  • 1 53nd y0u th15 m41l 1n 0rd3r t0 0wn y0ur h0m41il
    4cc0unt!

    (I just could'n resist :-)
  • His girlfriend knows all his information, like zip code and location, so she clicks on forgot my password. Having passed that, his security question was: "What's my sister's name?" That wasn't too hard.

    Needless to say, once she got in and had a look at his e lover's correspondence, the four year relationship ended quickly.
  • Gotta love the "experts" that TechTV talks to... From the article: In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said.

    Uh, yeah, more like "intruders would first need to log in to a new, free, anonymous Hotmail account". Not much of a deterrent!
  • Okay. If this isn't a hoax, then why hasn't anyone posted the contents of billgates@hotmail.com yet?

    --Blair
  • by Lizard_King ( 149713 ) on Monday August 20, 2001 @09:19PM (#2200466) Journal
    you can download the hobo4 program, written by the folks at Root Core to automate this vulnerability here [64.23.55.50]. Warning about the code however:

    a) it's in VB

    b) you'll see methods like this:

    Public Sub ii(MSG As String)

    l_info.Caption = ">" & MSG

    End Sub

    are there no coding standards even among hacks?
  • by Wakko Warner ( 324 ) on Monday August 20, 2001 @10:22PM (#2200637) Homepage Journal
    Does anyone else think that "crackers can read your email" is something Chef from South Park would say?

    CHEF: Now, children, don't leave your computer on when you're not around! Crazy crackers can read your email!

    STAN: Holy crap!

    CARTMAN: You guys are so lame.

    - A.P.
  • All you can do is read other people's spam.
  • by RPoet ( 20693 ) on Tuesday August 21, 2001 @03:25AM (#2201565) Journal
    Just read this l33t article [tuxedo.org] on "How To Become a Hacker", and you'll be hacking into people's mail before you know it!
  • by crucini ( 98210 )
    From the story:
    In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said.

    Experts? Experts who think you need real-world authentication to log into hotmail?
    "The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.

    I'll just leave my door unlocked because it's not a problem unless I'm specifically targeted.

    Anyway, if you're going to write a web page that cites other web pages, please put in a link. The anonymous authors of this page ("Tech Live staff") neglected
    to link to Root-Core [root-core.com], which seems to be the focus of the story, although they linked to Sophos, which was tangential.

    And this was on Bugtraq on Saturday.
  • Now someone's going to get into my hotmail spam account and be able to read all my spam. What to do?

    I mean, really, does anyone use hotmail for anything other than a spam repository?
  • Just give up. Seriously. You tried you failed repeatedly you continue to suck. You are the IUD of the internet. Utterly incabable of taking care of yourself and completely unloved. Just kill yourself and go away.
  • I'm all for a security hole in Hotmail if I can get the crackers to somehow delete the 100 pieces of spam I get to that account everyday.

No amount of careful planning will ever replace dumb luck.

Working...