Update: MS Says Hotmail "Security Issue" Resolved

Bartleby writes "Here is MS's letter about the 'service issues that have generated questions about security.' A textbook example of PR-driven understatement. When my colleague and I logged in to his Hotmail account with no password using simple HTML, we thought it rated a little higher than a 'service issue.'" Previous Slashdot story about this Hotmail 'service issue' here.

remarkable spin

I just read on http://news.bbc. co.uk/hi/english/sci/tech/newsid_434000/434120.stm [bbc.co.uk] an official response from Microsoft that shows their continued inability to take the blame. Rather, they'd point the finger elsewhere.

MS spokeswoman Erin Sanford is quoted as saying, "The security of our system is paramount and it was necessary to shut down Hotmail for a short period to stop this difficulty. We will be looking at how the information which created this problem was made public."

So, MS is saying the publishers of the exploit are the ones responsible for the problem. No way could it be MS's fault!

typical

What bothers me most...

What bothers me most about this entire mess was the comment made by the microsoft spokesperson yesterday. Something to the effect of "exploiting this whole requires a detailed knowledge of web programming languages." It required knowledge of a URL.

http://207.82.250.251/cgi-bin/start?curmbox=ACTI VE&js=no&login=ENTERLOGINHERE&passwd=eh

Simply replace ENTERLOGINHERE with the name of the account and it worked. This isn't even cracking imho. It's like when someone forgets to set a root password on a box that accepts root telnet logins. Typing "root" and hiting enter isn't cracking the box, it's stupidity on the admin's part. It's the same thing as leaving your car doors unlocked then complaining when your discman that you left on the front seat gets stolen. Microsoft left the proverbial door to hotmail unlocked.

The whole spin on this makes it appear to be "those bad hackers" attacking poor innocent microsoft. I'm sorry but accepting a URL as a form of authentication with no password checking is plain stupid. This reminds me of the at&t vs. mci story from a little while ago discussing how the two companies handled outages. at&t admitted to the problem and kept customer's informed about what was going on. mci blamed someone else and lost a lot of respect and possibly bussiness.

Microsoft needs to grow up and except responsibility for their mistakes.

Re:Principle 1.

> Really? I can update my gender and year of birth?

Well, I don't know about year of birth, but you can come to terms with gender, and you can update your sex based on it...
---
"'Is not a quine' is not a quine" is a quine.

Placing Blame

It's funny that no one in the media seems to have figured out that hotmail runs on non-MS platforms (Sun?). Usually the software and hardware vendors are quickly blamed (eg. the ebay outages).

It's a neat little situation MS is in. On one hand, it's a perfect situation to poke at a competitor, on the other hand, MS sure doesn't want to admit too openly that it's not using its back office products.

CNN's take

I watched CNN, this morning, and this was one of their leading items. Their take on the Hotmail story was: "Mail of any kind, unless encrypted, is never secure, and mail servers of any kind are never perfect".

I was astonished. Sound, sensible comments from a news service??

The other thing they said was that lawyers were looking into this, to see if Microsoft is in any way liable. After all, the problem was caused by negligence on their part, not some obscure bug or a skilled, daring cracker raid involving top security experts. Apparently, the TOS states that Microsoft is never at fault for anything that happens, but the reporter seemed to imply that not everyone shares that view.

Assuming this isn't sensationalism by CNN, this story could get even more interesting, and possibly spell doom to the disclaimers liberally splashed over all software and online services.

"Taking advantage of" Hotmail

Please note that no action on your part is necessary to take advantage of the updated Hotmail.

Wow, really? Yesterday we could "take advantage of" Hotmail with a very simple action. Now it requires no action whatsoever? I'm impressed; these Microsoft guys make themselves easier to take advantage of every day.

Is it really that bad?

I've read several comments here attempting to run Microsoft out of town on a rail for their statement, referenced in the abstract. While I don't think that running them out of town on a rail is such a bad thing, overall, I also think you need to give some credit where it's due.

One of the worst things you can do, in my experience, is come out and say "Wow. Our system got totally borked, because we didn't think things all the way through and anyone who wanted could read your private mail. Oh, we fixed it, by the by." Sure, you can't deny that there was a problem, but you also can't run around proclaiming to the world that the sky is falling, or you loose any shred of confidence that anyone might have had in you.

This was a fairly serious security breech caused by the implementation of a system before it had been throughougly tested or thought-through. That is inexcusable. And you can't just fix it and then never mention a word about it -- that undermines your credibility as much as a 'chicken little' reaction. Given the circumstances, I think it was a very appropriate response. They admitted the problem, they admitted responsibilty for the problem, and they issued assurances that the problem is fixed, and gave the usual drivel about being comitted to privacy and all that.

As fluffy and irrelevant as all that may sound, when it comes to marketing/crisis handling, I think it was about as responsible as you can get. It certainly beats the usual 'feature-not-a-bug' argument, or the 'gee, it's because our Cisco routers got upgraded wrongly', or 'problem? what problem?'.