Hotmail Hacked 494
SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.
No no no (Score:2, Interesting)
Bring me these experts. If someone thinks my hotmail account(s) leave a clear trail to me, they're insane. They leave a clear trail to my web proxy, perhaps. Most of my accounts only ever receive one email too... "Slashdot password for user Vladinat0r"
Sigh. Experts indeed!
Re:here's the instructions how to do it (Score:2, Interesting)
What would be really interesting is to show an example hacking the rest of the sites that use Passport type technology. This would definitely blow holes in MSs idea of being the "gatekeeper".
Our better yet, it might just close the gate!!
Cal
universal variables (Score:2, Interesting)
Security works the same way. The more places you use a key, or the more people you give a copy of your key to, the higher risk you have for errors, being hacked, identiy theft, being robbed, etc. A 'single sign-on' like the MSN/Hotmail passport or AOL's new Single-Signon or Screenname (not sure what they are calling it) that all AIM accounts/AOL accounts now have become are just another invitation of risk.
Users need to be alerted of this fact, that these systems may not be secure, and users need to understand that the more people who they use their single sign-on for, the higher the risk becomes.
In this situation though, you have to wonder. If the person issuing the 'keys', microsoft in this case, does not do a good job of protecting them and making sure that their security is up to date, can it be any better than if you had a safe deposit box that sat unlocked in the middle of Times Square?
I can't wait to see what happens when in addition to all these Single Sign-on and Passport type programs, that we have Digital Signatures too. That should be interesting.
Re:Informative - More like criminal action actuall (Score:1, Interesting)
Re:Informative - More like criminal action actuall (Score:4, Interesting)
This suit [findlaw.com] is the closest I've managed to dig up so far, but between Communications Privacy Decency Act (or somesuch) and DMCA, along with a prevailing broad interpretation of "service provider", most message boards such as AOL, etc., have been found to have no liability for what goes on. If that weren't the case, ezboards would've been toast a long time ago, and AOL would be fighting dozens of lawsuits a month. Do you have any examples of case law to back up your statement?
Is it still open? (Score:5, Interesting)
But to me, the most astounding betrayal of computer security ever was Microsoft's conduct during the last Hotmail breach. Not that it happened (could happen to anyone) or even that they didn't pull the plug days until days after the exploit was made public but that they kept going for hours after everyone had the URL for the backdoor.
There was a great Salon article [salon.com] by a woman who heard about the breach on CNN, found the URL here and read her ex's new girlfriend's mail. I love the conclusion:
Late Monday, Microsoft continued to downplay the Hotmail hack in a statement published by Reuters: "We're hoping that because we jumped on it so quickly no one was affected."
Fat chance.
I wonder if this time will be different...
Re:Informative - More like criminal action actuall (Score:3, Interesting)
Microsoft's hotmail operation is in flagrant violation of the opt-out provisions of existing privacy laws.
Microsoft sends email to users' inboxes by going around the entire email system, circumventing all attempts to opt out, block, or filter the spam. These emails come from "staff@hotmail.com" and are clearly not normal messages, because they have to power to disable the Reply buttons.
When told they are breaking the law, Microsoft sends back boilerplate that alternately denies the spam is from Microsoft or gives the instructions for the aforementioned nonworking methods of blocking spam.
--Blair
P.S. As it turns out, their monthly spam-o-gram came very shortly after I opened my first--and only--hotmail account, so just about all of the correspondence that has ever transited that account has been my complaints, their responses, and more spam from them. I think the balance is one or two non-microsoft spams and one email from a guy who runs an anti-spam website to whom I'd mailed the long transcript of nonsense that had occurred.
Re:Informative - More like criminal action NOT (Score:3, Interesting)
If you're really concerned about Microsoft's lack of security and quality control, don't buy their software or use their services. And it's the problem of millions of users like you who use Hotmail, many of whom either don't have much of a choice for email accounts or were using it before MS took over. Lastly, exploiting the flaw won't make them fix it any faster than they are right now. It'll just get criminal charges pressed against a few script kiddies, and rightly so.
Personally, I think anything beyond Pine is overkill. Not everyone is lucky enough to have email accounts on Unix servers, though. Passport sounds like an absurdly awful idea, but I don't think anyone could do it right. I'm worried about Microsoft taking over the Internet, but I don't think they'd necessarily do a worse job on Passport than, say, Sun. There's not a lot of practical work done so far involving such massive systems, and I don't think they've thought it through very clearly beyond the marketing department.
Re:here's the instructions how to do it (Score:2, Interesting)