Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Update: MS Says Hotmail "Security Issue" Resolved 183

Bartleby writes "Here is MS's letter about the 'service issues that have generated questions about security.' A textbook example of PR-driven understatement. When my colleague and I logged in to his Hotmail account with no password using simple HTML, we thought it rated a little higher than a 'service issue.'" Previous Slashdot story about this Hotmail 'service issue' here.
This discussion has been archived. No new comments can be posted.

Update: MS Says Hotmail "Security Issue" Resolved

Comments Filter:
  • Even CNN was buying this.

    I fully expected MSNBC to spout this company line but I was a little surprised that CNN just regurgitated this woithout doing a little digging themselves. (tsk, tsk)

    I think what I heard was "some web sites posted codes which allowed visitors to gain access to user's e-mail accounts without their permission. Once the code was made available, it began appearing on many web sites until Microsoft took action to stop the unauthorized access".

    Bleah. Should have been along the lines of "a security hole was discovered which allowed others to access hotmail accounts without requiring a password of any kind. This information was quickly shared on the internet and several web pages were posted with the necessary information to allow visitors to easily access hotmail accounts. Microsoft took hotmail servers down until the security hole was corrected."

  • I'm sure you guys can do better than me, but here's a couple to get the contest started...

    One coworker to another:

    "The boss called last night and said the plumbing backed up in the office, so we're all supposed to take Monday off."


    "Tomorrow is 'Frontier Days', so don't forget to dress accordingly."

    One student to another:

    "Are you ready for the big exam tomorrow?"


    "Tomorrow's exam has been postponed for two weeks."

    Dear John:

    I've found a new man. Beat it.


    Sally told me where she saw you last night. You've got some explaining to do.

    Dear Jane:

    What's this I keep hearing about you and your high school football team?


    Sorry, but I've decided I prefer guys.

    Bill Clinton to George Bush:

    Just tell 'em you didn't inhale it.

    Bill Gates to judge Jackson:

    What's your favorite charity?

  • I'm going to make a web page chock full of animated banner ads and make Mr. Gates and his highly trained engineers watch them as my refund. Can you say "Click the Monkey and win $500," Bill?
  • MS is just not paranoid enough about security issues. This stems directly from a single-user mindset and a lack of experience with multi-user and network security issues.

    Unfortunately, they're too paranoid about potential competitors.
  • I mainly use Windows to browse because it looks nicer (fonts)! After an hour or so of browsing I get sick of GUIs altogether and boot into (Debian GNU/)Linux, console-style. No fonts, no problems, not memory consuming, all good. I tweak, download new kernels, update my system, et cetera. When I feel like being in Linux and browsing, I use WindowMaker. I love the experience. And I don't drink beer.
  • What about the *nix, BeOs, and Mac?

    Its not a question of stupidity but ubiquity. The idea is to make the source available.

  • Suppose that instead of an obviously-flimsy screen door, your house has an ordinary door with a keyhole above the knob, and you have a key that fits the keyhole. Say it's a very fancy, flashy model, with an electric sign that lights up "LOCKED" in big red letters, or "OPEN" in green letters, respectively, when you turn the key.

    Suppose the people who sold you the house assured you that it was impossible for anyone without the key to open the door. To prove it, they turned the key and pointed at the sign, saying "See? It says "LOCKED", so it must be locked. The only way to open it is with the key, and only you have that, so you're perfectly safe."

    Now, suppose that, in fact, the changing of the lights on the sign is the only thing that happens when you turn the key. There isn't even a bolt installed as part of the "lock" -- it just says "LOCKED", but the door is completely open for anyone who tries to turn the knob.

    But, suppose that you trusted the people so blindly that it never occurred to you to try opening the door when it said "LOCKED", or even to look at the edge of the door to see the bolt. You just blindly believed the people who sold you the house when they said that the door could not be opened without the key. After all, the sign says "LOCKED", doesn't it?

    Now, when someone walks in and robs you, surely he is still committing a crime, but don't you think the people who sold you the house are just a little bit to blame as well, since the security that they claimed to be selling you was in fact completely non-existent? In fact, isn't it even just slightly your fault that you were either too stupid or too lazy to take even the most basic measures to ensure your own security?

    David Gould
  • We know better, sure. . . we also dont care to care. So why should my mother, really care to care. Security is defined as the state of being or "feeling" secure. The operative word is feeling secure. My mother does not want her credit card to go into the hands of a crook. So she gives it whenever she feels secure. It doesnt matter that the phone line can be tapped, she gives her number to the man on the ohter line. This is but an example of why it don't matter. This is but an example of why no one cares.

    There are lots of security freaks, who dont do anything without encryption. I dont care so much what someone knows as long as it doesnt "appear" to impede me. If i feel secure and can do what I want to when I want, then I'm using that service. It is not an issue of education mom & pop. My mother would never have used a computer if not for aol. she will not bother with learning about windows let alone UNIX. Education is not the solution for large scale computer use, simplicity is. And there is where the true war is fought, ease of use and usefulness vs security and well designed. Shareware products tend to be much better designed and more secure, but Microsloth and AOHell tend to make more usable products no matter how lousy they are. Instead of trying to educate the masses, we as the development community should work on making highly usable and useful products for mom and pop.

  • He'd only be able to do that if I hadn't have lied about all my details online...

    There's a lesson here kids: 97 year old snowboarding grannies are the major web demographic for a reason :)

  • Yeah, right. We'd have encrypted mail if it wasn't for your government. -- "Yeah, right" is the only example of a double negative in any language
  • ...postive

  • Note that this time when M$ screwed up, it was with one of their services, which quite a few ppl rely on, not in their software.

    Thus your discussion of OS is completely irrevelevent, hotmail is as usable as it is, without regard to OS or system architecture, although from what i hear it seems to favor only recent browsers.
  • So how did you come to choose hotmail over yahoo or any of the others. I use yahoo for the same reasons you mentioned, but I also like the fact that it is not such a haven for crackers and spammers (heck, MS wouldn't even delete the hotmail account that a trojan was emailing info to) and it seems to have a slightly better reputation. I loathe email from hotmail even more than AOL. Also, I can actually clean out my trash when I want to.

    With Hotmail's security you don't need to clean out your trash - you just wait until an exploit is discovered and somebody else hijacks your account and deletes everything for you!

  • After reading the original CNET [news.com] story, evidently many people wrote in to correct Microsoft's statements about the shutdown timing and the need for knowledge of "advanced web technology" to exploit the hole. They dispute Microsoft on these statements a bit now.

    Wired [wired.com] and ZD Net [zdnet.com] also have stories up that debunk Microsoft pretty well. I just haven't seen any stories that get it right in "mainstream" press yet, like Reuters, AP, CNN, or NYT. Any links? I would think that this is a story that has some legs still...

  • So if I add "ttyp0" to /etc/securetty and disabled the root password on my linux box, who would take the blame for "breakins": Linux or me?

    Regarding the ebay outages (which MS blamed on Sun), the problem was that Sun did provide patches, but the ebay admins did not apply them. Is Sun responsible?
  • Most people simply won't be bothered with
    details so all they want to hear is good
    news. Even if it's lying to yourself, it's
    better than the alternatives: reading HOWTO's,
    spending time experimenting, and actually
    admitting to yourself you haven't got a clue.

    Microsoft is doing them a service by providing
    only news they want to hear. (Write HTML
    without knowing it! Use WordProcessors with
    ease! Simple database management! etc. etc.)
    Only people who look further than the surface
    can see Microsoft isn't living up to those

    People who care about computers use Unix.
    Hopefully their number will grow.
  • I use it because it's easy, it's fast (yeah, it is, most of the time), and because I don't like giving my real e-mail address out. I use that address for actual work. I can't have a spam flood on it.

    But my hotmail account is practically a throwaway account. If the spam ever gets too bad, I toss it and sign up for another. No loss to me.

    Anyway, it is a good service, for a free one. Anyone using this for any sensitive info at all however, is an idiot.

  • But I don't care about the security issue.

    The reason is that all I use the thing for is web site registration where they require you to provide an email address. Like, for example, Microsoft.

    This is the ONLY thing I use it for, and have never given it out anywhere else.

    That account now gets 4 or 5 spams a day. I pop in every couple of weeks and clear them out.

    In the meantime, my main account hasn't gotten spammed in almost 2 weeks.

    So there is a purpose for a hotmail account, and I'll continue to use it. If some script kiddie wants to read my spam, I don't care.

    Joe D
  • This story is also front page news on at least the online versions of the two major British broadsheets, the Times and the Daily Telegraph. Both of the stories make it clear that it is Microsoft who is reponsible for the security breach (I don't believe that the Times even used either of the "-acker" words) and refer to other recent Microsoft security problems.
  • ... And Heroine helps children sleep...
    "I have no respect for a man who can only spell a word one way." - Mark Twain
  • by Anonymous Coward
    at least they didn't try to pull that old
    "not a bug, a feature" line.
  • Typical MS PR stuff... We admit a slight problem which we then fixed after being told about it... even though they knew about it hours before they admitted it...

    Unfortunatly, I feel that there is no such thing as bad publicity... how many people that are new to the internet will take a look just to see what the Hotmail service is like, only to continue using it ? Quite a few, methinks...
  • Folks,

    Does any one know how to close a hotmail account??
    If you do, please pass the tip.

    Thanks, Mike
  • by Vorx ( 876 )
    Geez, they forgot to note how 'timely' and 'proactive' their admin staff was at pulling the plug on the site--- if my service had a hole so big that someone's blind grandmother could fly a 747 through it, that network cable would be disconnected so quick your head would spin... better to down the service for a few hours than to let everyone roam around freely... let the PR spin begin!!!!
  • by Boolean ( 15853 )
    And I thought them calling Back Oriface a minor threat was bad.
  • By that reasoning, the only time RedHat should notify their customers of problems is when there's a bug or security hole in their installer, or some other RedHat-specific piece of their distribution. They bundle the kernel and all the various apps and tools and stick their RedHat Linux brand on it, so it's incumbent upon them to take responsibility for anything that goes into their distribution. If they're not willing to do that, they should yank the offending app from their product. For a company whose business model is almost entirely based on support and services, their response is not reassuring.


  • The administrators of this site (Slashdot) made a point of not themselves publishing the URLs to the sites trafficing in the information needed to trespass. It's up to a legal body to determine if the fact that they then stood by and watched as users posted that information in forums they moderate implicates them.

    Posting the specific details of a security exploit should not be illegal, especially when it is as simple as a URL. Software and security measures get better much more quickly when the details of an exploit are made public.

    Many of the people who tried out the Hotmail exploit did so using their own account, or the account of someone who gave permission for the attempt. Those folks have nothing to worry about, and the other idiots will probably be saved by the sheer volume of break-ins.

  • I can't believe that people would be pacified by this trite little statement. Microsoft should be collectively taken out back and shot.
  • My guess is that people jump on Microsoft when they screw up because it's funny. They have a pretty sleazy reputation.
  • Ok. First, Microsoft makes windows. Therefore it's only natural that *their* compiler/development integrates the best with *their* operating system. After all, they wrote it.. they know it's quirks better than a 3rd party company that has to lease info from them. It's a sad fact of life.

    Second, the other compilers which you mentioned aren't nearly as much of a universal standard as Microsoft VC++ is. Thats what happens when you have a monopoly, microsoft used their leverage in the OS field to expand into other markets (development tools). Another sad fact of life.

    Third, there is now an effort to port Mozilla/Win32 to DJCPP (a free win32 compiler).

    And why are "Microsoft users such idiots" because Mozilla is compiled with MSVC++? That question doesn't make sense, but I'll take a stab at it. The average user doesn't really tell which compiler their web browser was compiled with, so they don't really get to choose which development environment it was written/compiled in.

  • by stuntpope ( 19736 ) on Tuesday August 31, 1999 @05:25AM (#1714845)
    I just read on http://news.bbc. co.uk/hi/english/sci/tech/newsid_434000/434120.stm [bbc.co.uk] an official response from Microsoft that shows their continued inability to take the blame. Rather, they'd point the finger elsewhere.

    MS spokeswoman Erin Sanford is quoted as saying, "The security of our system is paramount and it was necessary to shut down Hotmail for a short period to stop this difficulty. We will be looking at how the information which created this problem was made public."

    So, MS is saying the publishers of the exploit are the ones responsible for the problem. No way could it be MS's fault!


  • Whether Microsoft is "defending it's right to innovate" or "upgrading" "known issues", we who keep the facts should do the world a favor. Microsoft can't back out of it's confabulation of the truth... It is in too deep. They cannot admit to trying to defend their rights to make exclusive contracts. They cannot admit they are fixing bugs. So we must make them wear it. Like a scarlet letter "I". Insincerity. At every press conference, every question, every time their damage control tactics come up in a conversation, we bring it down like a hammer. Insincerity. Insincere behavior in marketing is as close to illegal as you can get without the Feds knocking down your door (wait a second... they are!). Noone likes to deal with an insincere person, one who tries to seem genuine only to get something out of you. Microsoft is insincere, and it won't stop being insincere until it's black heart stops beating (forgive the hyperbole). So insincere we should call them, and we should call them out on being insincere! -Ben
  • So.......you're saying that you keep a record of all your passwords on a Windows box?

    ....hmmmm....what's your ip address?
  • The problem is with people's habit of placing blame, rather than responsibility. The two are not the same thing.

    In the case of the Navy vessel, the responsibility for the application crashing on a division of zero is clearly that of the application writers. They wrote the thing, it was their job to put in suitable checks and error traps.

    On the other hand, an OS that crashes because an application crashes is no better written, and that IS Microsoft's responsibility. The OS should not be vulnerable to such knock-on affects, and should certainly have error traps of it's own.

    In Hotmail's case, the OS was not broken. Nor was the web server. These performed their tasks admirably. The fault seems to have been in the CGI script, which is not the responsibility of the OS or web server programmers. The CGI script is the responsibility of those who wrote it. If, as others on Slashdot have alleged, the loophole was added at the request of Microsoft, then Microsoft shares the responsibility for that. Nobody else is responsible for Hotmail's CGI scripts, in any way, shape or form.

  • A software glitch (division by 0) resulted in the entire LAN crashing. That's right, one database failure caused the entire network to go down. Try that on linux as a regular user.

    Here's the original story: http://www.gcn.com/archives/gc n/1998/july13/cov2.htm [gcn.com]

    and a quote:

    "Using Windows NT, which is known to have some failure modes, on a warship is similar to hoping that luck will be in our favor," DiGiorgio said.

  • Don't you think that if email went down on hotmail Saturday morning they'd call people in to fix it before Monday?

    So why isn't a major security problem given the same priority?

  • Is IE5 better than IE4, or do you just get a warm fuzzy feeling that you have the latest WinXX bug-fix installed. (yeah, right)
    Yes IE5 is better than IE4, it does CSS better for one.
    I don't like Microsoft, but I'm not so jaded that I can't admit when the do something right (or at least better than before).

  • and I wonder where you get the idea that IE6 will be better than IE5

    Of course it won't. Internet Explorer 6 will likely be released solely to implement new (proprietary) "extensions" to web formats. Of course they will claim that they did this because so many of their current users were begging for it. And, incidentally, the new extensions will cause competing products to core/GPF/whatever. Very typical indeed.

  • When a programmer screws up and creates a buffer overflow do you object to calling the discovery of the problem hacking or cracking?

    Discovery of the URL that allowed entry was a crack.

    After it was published, using it wasn't difficult enough to deserve the name "cracking". Even script kiddies would disavow it I'm sure. I'd personally judge Microsoft's statements about the "advanced web programming knowledge" required to access mail accounts a plain lie to falsely reassure customers.

    Having a rogue script active on a machine can be called a mistake, not necessarily negligence. I don't know if they tested the service enough to escape negligence there. However, leaving customers vulnerable for 10 hours after the exploit was widely known is awfully hard to justify, and I think it can be fairly easily documented.

    What part of "anyone's hotmail can be read or sent by anyone on the web" didn't you understand Mr. Gates?" :)


  • Leave it inactive for 90 days. If you're lucky, they'll notice and delete it. Thats really how to do it as far as I can tell.

    If you're concerned about security, just delete all your mail. It only takes them a few days to empty the trashcan.

  • Ah HA ah HA, yes very very funny. so funny infact i forgot you laugh?

    the fact that ms fucked up is kinda so what'ish i mean kernels have bugs most linux software at one stage or another has A bug or a backdoor the minute MS fucks up you all laugh just like anyone eles there stuff needs debugging I honestly think you sould get over it? (No i am not Pro MS or Anti Linux)
  • How much did you pay for the Hotmail account?

    This has been mentioned several times. I think it's important to note that the ?acker's ability to vicariously write e-mail messages renders the question irrelevant.

    It doesn't matter how much I payed for the mail service. If someone can represent themselves as me using the service then it could cost me quite a lot. The malicious intruder could reply to messages sent to me, delete important messages, subscribe my friends or business contacts to porn mailing lists, etc.

    I'd say that, free mail or not, the amount of damage that could be done might easily exceed the cost of any mail service.

  • Maybe MS *should* send all of its Hotmail users a $0 check. It would at least be an admission that they screwed up.
  • I've mentioned Hushmail [hushmail.com] as a secure alternative to Hotmail before... It seems there are still some concerns. Here is Bruce Schneier's analysis [zdnet.com]. Also interesting is HushMail's reply [zdnet.com]. (Hey, Hushmail uses Blowfish [counterpane.com]!)

    Also noteworthy is that HushMail released their source code. [cypherpunks.ai]

    If you ask me, it beats Hotmail hands down. :)

    "There is no surer way to ruin a good discussion than to contaminate it with the facts."

  • by dirty ( 13560 ) <dirtymatt@gmai[ ]om ['l.c' in gap]> on Tuesday August 31, 1999 @07:07AM (#1714869)
    What bothers me most about this entire mess was the comment made by the microsoft spokesperson yesterday. Something to the effect of "exploiting this whole requires a detailed knowledge of web programming languages." It required knowledge of a URL. VE&js=no&login=ENTERLOGINHERE&passwd=eh

    Simply replace ENTERLOGINHERE with the name of the account and it worked. This isn't even cracking imho. It's like when someone forgets to set a root password on a box that accepts root telnet logins. Typing "root" and hiting enter isn't cracking the box, it's stupidity on the admin's part. It's the same thing as leaving your car doors unlocked then complaining when your discman that you left on the front seat gets stolen. Microsoft left the proverbial door to hotmail unlocked.

    The whole spin on this makes it appear to be "those bad hackers" attacking poor innocent microsoft. I'm sorry but accepting a URL as a form of authentication with no password checking is plain stupid. This reminds me of the at&t vs. mci story from a little while ago discussing how the two companies handled outages. at&t admitted to the problem and kept customer's informed about what was going on. mci blamed someone else and lost a lot of respect and possibly bussiness.

    Microsoft needs to grow up and except responsibility for their mistakes.
  • How much did you pay for the Hotmail account? How different is the Spinglish in this message from any corporate non-apology?

    Did we all somehow forget that Microsoft is a corporation? This is why Linux is here, and is thriving and growing.
  • Microsoft was "awarded [pcworld.com]" the People's Choice Award by Privacy International [privacyinternational.org], on April 8, 1999, for being the most frequent nominee presented by the public for intrusive practices and invasion of privacy.
  • No TOS can strip rights granted by state law. If it tries, the judge will simply declare that part (or all!) of the TOS unenforceable. That's why all disclaimers and TOS are careful to note that the customer "might" have rights under state law. (I use quotes because I think all states grant some rights.)

    However, the baseline established by state law tends to be pretty low. Were you killed by the product, or seriously injured? You can probably sue, unless the industy is explicitly protected by state law. (E.g., Colorado ski resorts generally can't be sued by the family of skiers who die or are injured.) Were you inconvenienced? Tough luck.

    *IF* Microsoft, as owner and operator of Hotmail, had denied that any problem existed and continued to insist that its email service was "secure" despite strong evidence to the contrary, it *might* be such gross negligence that state laws would be triggered. But I doubt lawyers could do much with the facts known today.
  • If someone I was trusting with my house left the back door wide open I would blame them first and the robbers second. Last on my list would be the third party who pointed out to everyone that the door was open.

  • Its much easier to speak of security issues a hacker has caused instead of bad design mistakes in M$ software on a foreign hardware.

    Security issues can be solved but design mistakes speak of incompetent developers which could lead to the thought that M$ has incompetent programmers/developers in other departments as well which could make you think that all M$ software is crap (why do I have the feeling that there is a lot of truth in this...).


  • ...and IE6 will be one of their final steps to complete world domination. IE 6.65 will contain a feature called "Microsoft ActiveSeventhSeal", which will immediately be broken in version 6.66 to support the proprietary ARMAGEDDON tag.
  • Very good point, though what exactly got screwed up is also of scientific interest. As well as the question of when was the screwed up code deployed: before M$ bought it or after?
  • >The am-utils package that they've been shipping is "being actively >exploited on the internet" to give root access on machines running >amd.

    The key words here are "machines running amd." I don't run amd and nor am I required to. In fact amd wasn't even installed on my machine when I installed Redhat 6.0 -I did a custom install. Now if this was Microsoft I've would've had no choice. Software like am-util would've been installed by default even if I didn't want it on my machine. Also in case you didn't notice Redhat is informing people about the amd problems in a *VERY* public fashion, which is one of the reasons I like Redhat. On the other hand did Mircosoft inform *ANYBODY* about the problem with Hotmail? Nope. People really found out about it after the news (and it *DIDN'T*) come from Microsoft made it to Slashdot.

    In other words, get lost MS-Flunky......
  • Install/Uninstall??
    What could be more inefficient than the "Self-Executing Zip File"?

    I don't know about most people, but I find
    rpm -e blah-de-balh.arch.rpm
    much easier than
    Start>Control Panel>Add Remove Programs>blah-de-blah

    Sorry, but I consider Package Management to be the main disadvantage of WinDross.
  • You make so many interesting points that, despite my signature line, I feel compelled to respond.

    "Have you been using a computer long enough to remember when Netscape 4 was better than IE3?"

    Yes. I have been using a computer since the CBM "Personal Electronic Transactor" was still a neat idea. I've been around for the entire life of the home computer revolution, both as a consumer and as someone deeply involved in the business. As such, I feel qualified to address (and make an expansive digression on) one of your next comments:

    "Now add on to this that the company holding that monopoly does not have a history of innovation..."

    I used to hate Microsoft (long before it became fashionable). I would have agreed wholeheartedly with the opinion expressed above. However, I think my long-term experience has modifed (perhaps mollified) my perspective. Here is my take, for those who care to read it, on why I believe that Microsoft is _THE_ pivotal player in the whole PC revolution (and I am not equating PC with "IBM compatible" or Political Correctness).

    I started out my PC adventure using CP/M. I used to "pip" my files from one location to another, and used "ED" as my text editor. Digital Research wrote CP/M, and, yes, DOS is a clone of CP/M that Microsoft didn't even program themselves, but bought off of another company. Strike one against Microsoft and innovation.

    Incidentally, in this extended ramble I am not arguing for Microsoft's innovation (when they _DO_ innovate - or when they blatantly steal - I will mention it, only because "innovation" was the core point of the message from which I have responded and diverged).

    However, Microsoft did remarkably improve their CP/M-clone acquisition, and continued improving it for many years. When that "improving" stopped and bloat began is a subject of argument that I really don't want to spend time on. It is useful to note that Microsoft found themselves in this position because Digital Research fucked up. DR had the opportunity to supply the OS for IBM, but they dropped the ball and MS scooped it up. No, that isn't innovation on MS's part, but it is an early demonstration of the shrewdness which has allowed MS to remain the dominant player.

    I spent many frustrating years as a salesman fighting against the MS/Intel duopoly. Almost any computer system on the market gave you more bang for your buck that did that combination. A lowly C64 was a better buy for many years than an MS/Intel machine. Still, the computer illiterate in those days, and many of the literate, were seduced by the letters I-B-M that was attached to the MS/Intel machines (and this included the clones and compatibles). They scoffed at graphics and sound. They were buying a BUSINESS machine for SERIOUS uses, and only someone interested in buying a TOY would buy THAT (THAT being anything which was better than what they were buying but not as magic, in their minds, because it lacked the association with IBM).

    Digital Research dropped the ball again when they succumbed to bullying by Apple. GEM was a better MacOS copy than was Windows, but MS, either through bluster or negotiation (often the same thing) soon won the day with Windows. By Windows 3.1 they had invented a new market. So they copied the look-and-feel portion of another OS, and they got all of the credit. Strike two against MS for innovation. Apple _did_ deserve it, as they had ripped off Xerox and then bullied DR for following their example.

    However, as before, MS improved their knocked-off copy until it was far superior to what they had copied (I expect that the Macintosh faithful will howl here). AmigaDOS was better, as was even the Atari version of GEM, but the IBM lemmings guaranteed that those systems would be marginalzed.

    You know the rest of the story (maybe you already knew the preceeding. I don't know. But I felt the rehash was necessary to make my wordy penultimate point). Microsoft and Intel win the which-platform-has-the-largest-installed-user-base war. They didn't win it because they were better. The genesis of their victory was in the IBM worshipping mentality of millions of early buyers. In those days, no one cared who wrote the OS - in fact, most didn't know what an OS was - as long as it ran IBM software. Initially, this was because users held the not entirely delusional belief that I-B-M was synonymous with SUPPORT, and later because it was easier to find IBM-compatible software in the stores as a result of the earlier massive buying of SUPPORT! chanting businesses and the lemmings who just KNEW that it had to be better if it was made by IBM. IBM was an incredibly powerful name in those days. This was before the debacle of the MCA bus had corroded their reputation.

    Anyway, for the penultimate point and the cause of this lengthy digession (Part I): the conformity that MS and Intel accomplished was a GOOD thing! Before, with the splintered market, computer technology proceeded at a snail's pace. Programmers had to develop for marginal platforms. This is very much akin to the VHS, Betamax and (in the UK) Philips 2000 days. Beta _WAS_ a better system, but fewer of the machines could be found in stores (there were no compatibles. Remind anyone of Apple?), so fewer titles were sold, and sales were hugely diminished. An inferior product wins. Just like Microsoft and Intel (Motorola had always produced a superior microprocessor).

    Part II: So, Microsoft continued updating its products and OS to stay ahead of the competition (particularly their products. WordPerfect used to occupy the throne currently occupied by Word. Before WordPerfect, it was occupied by WordStar. Ditto Excel and Lotus and VisiCalc). It did NOT update products because it wanted to waste the money. I'm sure that MS would have been perfectly content to sell you the same product forever, never spending another dime on development costs. But competition drove the products forward. When products get bigger, they almost invariably get bloated. A (perhaps) nearly irrelevant aside: Think of StarOffice. What a bloated piece of shit. I hope Sun fixes it before they start hawking it as a viable aternative to MS-Office. No, wait, they don't have to - they can just hawk it as a non-MS alternative, and a certain large (and growing larger) market segment will come running.

    Part III: Fatter products and OS's pushed forward hardware development. Accelerated it, in fact. Hand in hand Microsoft and Intel (and other conspirators) pushed the PC platform into the 600Mhz 13GB HD state that it is today. And I like it that way. If you don't want it or need it, there are plenty of 386's that you can buy at the Salvation Army or the Good Will or auctions, cheap, and Linux in console mode will run brilliantly. I, for one, am glad that it happened. A homogenized market is required for that type of development cycle, folks. And MS was/is the great homogenizer. "Oh, no!" some of you will gasp. "He is encouraging bloat to push the development of faster hardware!" No, I'm not. Bloat is never desirable. However, I maintain that it is often the BY-PRODUCT of rapid development, and that it produced some very desirable side-effects. I am grateful for my 380MZ PC with 64MB of RAM and 16MB Riva TNT video card. Do you think they would have come into existance without the market-collusion of MS and Intel? And, as the market matures (as it is in the process of doing now), alternative (better) OS's emerge which are leaner and use that fantastic hardware to maximum advantage. Then the cycle possibly repeats itself. We are only now nearing the end of the first cycle, so time will tell how it finishes. I mean, MS is very shrewd. It is relatively unlikely, but still possible, that MS will pull a rabbit out of its hat and surpise us all. It might be the victor in two cycles, this and the next.

    As for MS innovation, I think that we owe the major improvments in browser technology to MS. CSS and XML were implemented by MS long before Netscape had thought about them. CSS in Navigator is shit. Now, I know that MS did not have pure motives. I don't care. But MS introduced CSS support (limited) in IE 3, and changed the entire picture. CSS support got better in IE 4 and 5, and now Opera and Mozilla are re-drawing the picture again. If (for their own greedy reasons, namely to wipe Netscape off the map) MS had not championed CSS, it is very doubtful that CSS and XML would be so integral to Mozilla. Score on for Microsoft innovation. Further, Mozilla would not exist if MS had not clobbered Netscape in the browser market.

    Regarding MS's predatory tactics: all is fair in business, folks. We live in a free market economy. The company with the biggest stick and the most money wins, like it or not. We gave MS that stick by giving them our money.

    Anyway, that closes this opus. I hope I see some thoughtful responses.

  • [I normally avoid responding to anonymous cowards, but I think this deserves to be read by others, simply for a perspective.]

    Anonymous cowards making incredible allegations about the "crimes" of people who dare to tell the truth in public carry absolutely no weight at all.

    While you want to intimidate, track down and jail whistleblowers who have the integrity to sign their own statements and assume responsibility for them, I want you to enjoy your freedom to speak anonymously if you so desire to protect yourself from unlawful harassment because of what you have to say. As long as your statement itself doesn't involve a serious crime (and no, I don't consider simply informing the world about how crimes are committed one of those), anybody involved in the mere handling of your statements on your behalf should be required by law not to reveal your identity even before a court of law!

    Such is the law in Sweden with respect to printed media, based on the principle that the publisher is solely responsible for what is being printed. Since Slashdot is an unmoderated medium, that principle can hardly be applied here, but that doesn't make the freedom it would yield any less desirable. I don't care that you don't have the slightest idea of what freedom of expression means, but I want you to enjoy that freedom as much as anybody else, because if you can't, then that freedom isn't worth a dime to anybody else either.

    And, if you are still not convinced, please report my name and e-mail address to your nearest police officer, the FBI [fbi.gov], Interpol [interpol.int], or any Microsoft [microsoft.com] lawyers you know. I'm a system manager at a Swedish university, and it's my job to protect the privacy of our users as well as the integrity of our systems against attacks from anywhere.

    Privately, I'm sick and fed up with silly government attempts at controlling the spread of information, such as bans on cryptographic software, laws regulating the mere mentioning of named individuals in electronic communication, "copyright infringement" claims raised against proxy HTTP servers, software patents, police snooping on private mail and so on.

    I freely admit to a strong desire to circumvent any technical or legal obstacles placed in my way for no legitimate reason at all, and pointing out security flaws in computer software or service configurations - even to the point where continued operation of said software or service is jeopardized - is to me a good deed for the well-being of man kind.

    I have decompiled and studied binary code without regard to any copyright on it, simply to satisfy my curiosity. I have modified the Netscape Navigator binary (international version) and configuration to enable US-strength encryption as well as change the "license agreement" nonsense into something in line with Swedish law for the benefit of our students (we don't accept "shrinkwrap" licenses over here), without asking Netscape. I routinely press the "Accept" button whenever I install software at work or at home, knowing that it means approximately "null and void" to me. I may read the "license agreements" after installation, just for the fun of it. I have transmitted encryption software across national boundaries. I have exploited security holes in computer systems owned by others, without their authorization, to obtain useful results such as improved network connectivity.

    I scoff at the obscene claims [algonet.se] made by German authorities to "own" Adolf Hitler's literary works, and I'll gladly make and distribute copies of Mein Kampf or any other garbage he wrote whenever I feel like it. I conspire with my friends to change the ways things happen around the world, whether in politics or in business, not merely by voting in elections or participating in marketing polls. I believe I do all this in full compliance with the law and with judeo-christian ethics, but if I don't, I'm prepared to defend my actions in court.

    I challenge you to report all the above to the appropriate authorities, simply as an experiment to show how futile that is, and how pathetic your remarks are. I promise you that I will not have you prosecuted for making any false accusations against me (though I cannot answer for any actions by others). Ain't I kind? Believe me, it's hardly worth the cost of a phone call.

    No, I'm not giving you my residential address. I may be frank, but I'm not stupid. If you are serious, you could either ask my ISP Algonet [algonet.se] (it's my primary private ISP, not a mailbox hideaway), or you could ask Datainspektionen [www.din.se], the Swedish government agency charged with maintaining the register of those who maintain databases with personal information, for the owner of registration license number 9999110043 [algonet.se] (it's mine). Make sure to include ample copies of any evidence you have against me either committing a crime or violating anybody's privacy by storing their names electronically (I'll mention Bill Clinton, Börje Ramsbro, Håkan Nordquist and Tomislav Micic to give you a fair advantage). Good luck!


  • Gads, you really are an idiot. So NT users can't choose which services to run? Tell us another one. And yeah, RedHat's being so public about all their bugs the way they bury it on their website. Guess they wouldn't want all those Wall Street investors to be able to see how shoddy it really is.

    As for informing people, thank you for showing the hypocracy that I'm talking about. The reason a lot of people here found out about the Hotmail problem here before Microsoft said anything about it is because Slashdot ACTUALLY REPORTED IT -- whereas they DIDN'T REPORT the RedHat problem. If they held RedHat to the same standard that they hold RedHat, most people here indeed would have heard about it here first; plenty of people knew about the problem before RedHat ever deigned to mention it. Nice try, junior.


  • maybe they don't work weekends

    Does anybody remember the USSR's excuse for waiting nearly three days to announce the Chernobyl disaster to the world, even to countries directly in the path of the fallout? The accident occurred on a Friday (or a Saturday), and they waited until Monday because, they said, "the governments of most advanced countries are closed on weekends."

    Hmmm. Hotmail and Chernobyl. Now there's an analogy I can live with...


  • > somebody else hijacks your account and deletes everything for you!

    But they don't! They just get moved to a trash folder where it will, someday, be cleaned up. MS even advised users (that asked) to check if they had messages in there trash. If you had something sesnitive on your hotmail account and an exploit was discovered, you couldn't get rid of it. On Yahoo!, you can delete everything and them "Empty Trash". That's the point I was trying to make.
  • FUD. MSN Messenger has always used a password authentication to access Hotmail, (some of the early versions put it in plaintext on the local webpage that is ran), but that was fixed, its no longer clear.

    So.. I hate to say it, but this "typical of Microsoft" thing is only in your mind, this time.

    (Note: at various times yesterday during Hotmail's patching periods, any attempts to read your mail @ Hotmail via MSN Messenger failed, with 403 as the result. However, that hasn't been the case for well over 12 hours now)
  • Even MSNBC is reporting that the exploit only around for about only about 8 days, which was "before any damage was done."

    The fact that the hotmail story never made in onto their main page (unlike everyone else) speaks volumes as well.

    I guess MSNBC gets stories about 40 million email accounts being compromised all the time. Princess Diana death from 2 years ago is more newsworthy.

  • Actually, I think he said bug fixes were the least relevant reason to release a new version. Even worse than how you remembered it.
  • Hmm, let's see. Microsoft announced the problem on both Hotmail's home page, as well as on the home page of www.microsoft.com.

    Now, what I'd like to know is: Why isn't Slashdot bitching about Redhat? The am-utils package that they've been shipping is "being actively exploited on the internet" to give root access on machines running amd. Wow! Something like that's just gotta be on RedHat's home page, right? Ooops. Guess not -- not a single peep.

    So, after clicking on "Updates, Fixes, & Errata," I still see no warnings. Click on "Redhat 6.0." Click on "amd." Ahh, finally!

    I dunno, but for a problem that's being "actively exploited on the Internet," you'd think that (at least by Slashdot's apparent standards), RedHat would be making a lot more noise about this. At least the Hotmail hole is no longer there.

    Face it, you would've been bitching no matter what they said while giving RedHat a free pass on all the holes that have been uncovered in just the past month.


  • We all know that Hotmail runs on a *BSD/apache platform.

    However people have said that it was the passport side that was broken, and this is a newer feature, which is used across several services. This raises questions (to me at least):-

    1. Did this crack open up just Hotmail or all the passport services?
    2. Was it a problem with the implementation of these systems or a fundemental design problem with the platforms?
    3. If its an OS issue, what OS was affected - ie what is passport running on?
    4. How is the system being made more inherently secure - rather than just patching cracks as they appear?

    So many questions, so little chance of answers :-(

    Was anything about the technique posted by the crackers?

  • "Shut up you big stupid."

    Obviously a comment from a microsoft stockholder, disgruntled NT admin (god knows I would be, if I had to work on that godforsaken abomination 40 hours a week), or an idiot in the Navy who recommended moving from UNIX to NT :)
  • You misinterpret the situation. This is more akin to 50 people in a housing development, unbeknownst to them the builder who built all of the houses built a secret passage into their bedroom. Someone else finds that passage, walks into their bedroom, then starts calling up the builder, and telling them about it. And calls up all of his friends who live in the subdivision and tells them about it, and pretty soon everyone knows that the builder put all of these secret passages into the houses. That's a closer analogy.

  • What I find hilarious is the media reports that the site was "hacked" or "cracked" when this whole thing is the fault of some incompetent CGI programmers.

    The sad part is that 99% of the world doesn't understand the problem, so press releases that say "security issue" and "everthing is ok" will be heeded by the masses.

    Why can't Microsoft just own up and admit theat they screwed up. And then fire the idiots that wrote the code in the first place!

  • Is it just me, or does it strike anyone as odd that uSquish claims to have fixed a code-level bug (as opposed to a bad config script) within a few hours?

    IMHO, the only thing you could do for a security hole in that time is move it to another part of the code, and hope that you can actually fix it before someone else notices the problem. Does anyone know what Microsoft claims to have actually done?

  • Now I don't have definative proof, but a comment above stated that this was not a bug, but a deliberate security hole put there by Microsoft to allow MSN Messenger the ability to log in to Hotmail without a password. With all of the warring going on between MS and AOL, it's pretty believable that this could be exactly what happened.

    They admitted the problem but completely downplayed it. It's a hair short of flat out lying about it. That is not the kind of behavior you'd expect from any other multi-billion dollar corporation, but it's what we've all come to know as typical arrogant elitist MS speak.

  • oh, bosh. Likening the Internet, and /. in particular, to a "crime syndicate" is silly.

    Look at it this way: let's suppose Ford made a car with the keyless entry system, and designed it so that merely by pushing all the buttons simultaneously the doors would unlock. Maybe the engineers knew that would happen, maybe they didn't. But then people chance upon it and spread the word around, via word of mouth and/or Internet.

    If my Ford got stolen in this manner, sure, I'd be mad at the thief and want him caught and prosecuted. But I'd also be mad as hell if I found out the theft was due to oversight on Ford's part that made it simple to circumvent the car's security. Especially if I found that Ford KNEW about the exploit and decided to still sell these cars, even if just one car, after hearing about it.

    Would I be angry at people who had shared this info with others? Would I want them prosecuted? No.

    You hope that a database is built logging identities of people posting comments. Well, that's a nice totalitarian sentiment. For your sake, I hope you never visit any sites that you wouldn't want your mother to know about, or ever once discuss something you wouldn't want aired in public. Because what you wish for could be applied to you as well.

    And your ominous tone is silly, too. Look, I'll say "I broke into the Pentagon's computers" logged in, not AC.

    There's a reason it's called Anonymous Coward

  • Check out "gpasman"
  • Interesting that you didn't respond to a single one of my points, but did take the time to indulge in a subtle (or not so subtle) slam: "linux is easier to use than most unixes and you simply dont have either the knowledge or capability to use it (unix)."

    I assure you that I have both the knowledge and the capability. But ad hominem attack is easier than a thoughtful reply, which is why you used it. Much better would have been a reponse along the lines of:

    "X should have font-rendering in version 4, so there is one of your quibbles taken care of," or something else that would have been germane and constructive.

  • a) Speed. Yahoo is slow as hell from most places I check e-mail.

    b) At work I am forced to use Outlook Express (on NT4! Bleeeech!). It can directly check my hotmail account. Easy, and it works well.

    c) Yahoo sucks. Yahoo has sucked for a long time. I dont ever use Yahoo for anything at all, ever, just on general principle. Ever since Yahoo started offering EVERYTHING, I stopped using it. A site should do one thing and do it well, IMHO, and I hate these so called "portals" that try to do every damn thing. Yahoo mail, yahoo auctions, yahoo friggin' maps... The hell with it, fuck yahoo.

    anyway, just my opinion.

  • >RedHat's being so public about all their bugs the way they bury it on >their website.

    If RedHat and the other Linux dists hides these annoucements like you claim, then why can they be found on nearly all the Linux newsites like Linux Today and LWN? You truly are a Microsoft-paid moron you know that? The fact is really easy to find out if there is any sort of "Security Issue" with Linux or BSD software. It's nearly impossible to do the same when you have Mircosoft running around denying that there is even a problem to begin with 99% of the time.
  • I was running through various places, and i ran across this bit. Thought it is rather interesting..

    I am quoting from

    The CGI scripts that run the popular HotMail e-mail system use a flawed security system that allows unauthorized individuals to break into user's e-mail accounts and read their mail. This problem is known to affect the version of HotMail that was in place as of December 1998. For further information, see these links:
    http://email.miningco.com/library/nus/bl120898-1 .htm
    http://www.geocities.com/ResearchTriangle/Lab/66 01/shailesh/hotmail.html "

    Specifically the first link..

    Quoting from that link..

    "Hotmail Accounts Easily Accessed by Hackers
    Hotmail is still extremely vulnerable to hackers who try to gain access to other people's email accounts, Shailesh Govekar and Krishnan VenkataRaman, software engineers at Lisec Software, have found out.

    It may be easier than you think for other people (malicious or not) to read your (Hot)mail. They do not even need your password. All it takes is a URL and the user whose email they want to read to be logged in.

    Sneaking the right URL out of Hotmail's database is easy and can be done at any time with only the user name of the account-to-be-hacked.

    On their Web site Govekar and VenkataRaman describe the necessary steps in detail. A URL looking like http://www.hotmail.com/cgi-bin/password.cgi?login= username&curmbox=active will reveal the URL that can be used to access the account belonging to username.

    If, for example, we insert "exhibitio" as the username, the URL is http://www.hotmail.com/cgi-bin/password.cgi?login= exhibitio&curmbox=active. The source (or, in Netscape, the "page info") reveal the URL to access "exhibitio"'s mail if the user is currently logged in to Hotmail: it is the first string beginning with "http", in our sample case .185.130.45_d436.

    The problem is that Hotmail uses neither HTTP authentication nor cookies to ensure an account is accessed only from the computer that originally logged in to the account. "

    Now, Lets take this evidence against Microsoft's Pr crap..


  • another interesting thing, i tried that URL,

    http://www.hotmail.com/cgi-bin/password.cgi?logi n=username&curmbox=active

    and all i got was an "Internal server error" message, not an "invalid password" or anything similiar.. Makes me wonder, vaguly, if there is still something to this bug.. I doubt it, but might be worth looking into.

    Server Name: lc3-lfd63.law5.hotmail.com
    Your Browser (User Agent) = Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)
    Last Task (ScriptName) = /home/httpd0/cgi-bin/password.cgi
    RequestMethod = GET
    QueryString = login=ACCOUNTNAME&curmbox=active


  • I think anything short of full disclosure in a situation like this is insulting. It's clear from the exploit that a "back door" was designed into the system; the "crack" was that someone simply "leaked" the argument string to open it. For all we know, their "fix" was to change the backdoor password from "eh" to "he." I think a corporation has a responsibility to say exactly what happened, why it happened, and what they did specifically to fix the problem. Pretending that the system suffered a little glitch but it's all better now just doesn't cut it.
  • "...and heorine helps children sleep ..." Well it does ... still , I get the point .

  • "Microsoft was notified early Monday morning (August 30,

    Maybe the company only operates 9 til 5 in one timezone.
    Isn't their HQ in the west of the USA, thus putting them behind
    Asia, Africa, Eruope and most of America...
  • IMHO, the Microsoft spinmeisters must have been asleep on this one.

    Why, you ask? Well, I was up late last night reading and listening to the radio and the news on one of the local mass-media radio stations ran the story on the Hotmail security hole. More and more people are going to start hearing more and more about the gaping security holes and start questioning whether they want anything to do with MS software. Those who already understand why the lastest virus scare is a problem and how it works must already be asking themselves ``Why did I spend my hard earned money on this stuff?''

    (Normally I despise the news media feeding frenzies but when it's directed in the right place, it's actually sort amusing. We may not be seeing one just yet but MS has a few cuts and there might be enough blood in the water...)

  • Given that the problem was that a CGI wasn't checking the password, the fix would be as simple as just adding in the code that checks the password, then testing to make sure it works.
  • Wow, a PR statement that tries to make the bad points seem not so bad, and emphasize what the good points are (if any). I think MS is the only company in the world that does that. Who should be shot? What about the person that found the hole, then set up a page so that anyone could get in. Is that okay becuase it's MS. If this was RedHat, Sun, Netscape, or some other company then I guess this would be a problem.
  • (Channel 4 News is one of the major news shows on in the evening on UK tv. It's main plus-point is the anchorman Jon Snow, who is pretty damn good at asking nasty questions)

    They had a rather ill-informed report, mentioning the Cult of the Dead Cow and Back Orifice, and then went on to a head-to-head between the MD of MI2G and some woman from Microsoft.

    Unfortunately, neither the MI2G guy or Jon Snow actually pinned her down to anything, and let her get away with the party line of "Isolated incident.. not a problem.. all the fault of the hackers.. E-mail's never secure anyway."

    He almost got her on a few, like "Wasn't the service up for a while after you noticed before you pulled the plug", but didn't follow up when she fluffed him, and they didn't bring up the possibility of it being Microsoft's fault/responsibility. Jon Snow finally summed up with a "Let the viewers decide" line.

    Bit of a shame. I feel they didn't really research it too well. Jon Snow did a Bill Gates interview once, and asked him something like "Your personal fortune could supply running water and good sanitation to every person on the planet. How do you feel about that?" Ended up making Billy-boy seem like the devil incarnate. =)
  • Personally I think your points are all valid. I have to do tech support for windows all day, I don't use windows because its the OS that I have to support all day. When I come home, I don't want to see WORK on my computer.

    I am often asked about Linux because I use it, and many of our customers are very interested in switching (mostly because of the "I hate Microsoft" and not because "Linux is better" - although, to define "better" I admit requires a more subjective description which I think you know enough about already.)

    I freely admit that I dislike windows, but the thing that is currently keeping more people away from Linux is that it is different from Windows, and yes, more difficult to use (for now). Companies such as Red Hat (and others!) are fixing this, and yet certain members of the Linux community hear about this and immediatly scream "Red $hite SuX0Rs!" Well, we still have some way to go I guess.

    I am not going to specifically respond to any of your points however, because they are valid. If YOU dislike the tarball/RPM conflicts for example, you are certanly entitled to. But Linux is always improving. I am patient. I just hope to be here to welcome you when we get these things fixed, so we can have our beers and relax.

  • A more charitable reading of that is, bug fixes do not constitute an entirely new version of software. That is, adding service packs / hot-fixes should normally not boost the version number.

    That's not quite true, since certain SPs have mattered a lot in terms of functionality (e.g. IIRC, NT DX3 support came in a service pack...), but it's why you don't hear that suddenly MS released MS Windows NT 4.39.110+ or so. Release a patch, but it's not a full release; they're not going to ask stores to discard their stock and issue newly mastered versions; and it's not going to be billed as another "release".

    That's the same way that, say, most Linux distributors (probably all), do not increment their version numbers for every single Errata patch and make sure to add more features before calling it a new release.
  • No, no, and no. I'm far from any sort of fan -- I use MS products only when I have no other choice. I find the hotmail product to be acceptable for a 'throw-away' e-mail address, and I use it as such. However, I think that it is a mistake to expect any business to experience a failure like this and come out with a press release saying: "Woah! We completely screwed everything up and are hopelessly lost when it comes to network security. Whoops!".

    Let's just throw away all the fanatical, biased crap for a minute and think real long and hard about it from a business standpoint: If you say something like this, your credibilty will be forever shot, and you'll probably never recover. As much as you and I would cackle with glee over the demise of MS, only an utter idiot would expect that any company would release such a self-destructive statement.

    You might argue that nobody has any confidence in MS as it is, so why would it matter. Of course, that would be incorrect. I have no confidence in MS's abilty to market a secure, reliable product. But, I assure you, there are plenty of people out there that don't know any better. If there weren't MS wouldn't be making money.

    So, we come back to the crux of the issue: MS borked things up real bad. There are a couple different ways they could have dealt with it. While shifting the blame from themselves to the scapegoat of "evil hacker guys" isn't very accurate, it didn't get the usual microsoft treatment of 'That's a feeeeeeeture'. Or simply ignoring it. Or fixing it and not saying a word about it.

    I guess what bugs me about the whole ordeal is that instead of focusing on the fact that they built themselves a gaping security hole that they either never bothered to check for, or found and left alone until someone else pointed it out, everyone is nitpicking on their announcement. And that announcement isn't half as bad as some of the others that I've seen from other companies. At least they didn't say "we can fix the bug for any customer that can prove they really need the extra security afforded by a password". :)

  • Actually, the thing that most annoyed me about the notice posted by MS was about how quickly they reacted. Waiting several hours after a problem of this severity is reported and verified, and then patting yourself on the back for reacting quickly is not ethical behaviour.

    Also, they were quoted on CNN (I think) that none of their users had complained, so they hoped that the effect was minimal. I know that I, for one, sent an email informing them of the problem, and urging them to take it down until it could be fixed.

    My suggestion for MS? Come out and admit that they screwed up, and badly. A little honesty would go a long way.
  • Ok, so maybe the wording was a bit vague regarding the extent of the security breech, but Microsoft admitted they door was open. So I'm gonna demand a *Full Refund*. Maybe I should gather together with a group of like-minded folks and storm the offices in Redmond :)
  • But does anyone else?

    Sure, the technically minded people in the world realize that this is PR, and that M$ is chock full o'holes. With macro viruses, Back Orifice, hotmail, the ping-o-death and a slew of other issues that are never quite 'resolved' in the technical sense, the computer professionals and an increasing number of knowledgeable users are more and more sying away from M$. The success of Linux is a testament to that.

    But the vast majority of the computer users out there, the ones that think Microsoft is the only software company out there, the ones that subscribe to Microsoft Internet and download a new version of the Internet everyday, and fax by holding the paper before the monitor, and complain when their cup holder breaks... They're the ones who pay good money into M$ coffers, and fund the bloat-fest and PR campaign.

    M$ made the PC accessible to virtually everyone, and now preys on the ignorance of the averabe user. What's needed is an organized effort at educating the mom-n-pop computer user. What's needed is a way to tell the truth, because M$ fails to do so.
  • by Pascal Q. Porcupine ( 4467 ) on Tuesday August 31, 1999 @08:36AM (#1714949) Homepage
    > Really? I can update my gender and year of birth?

    Well, I don't know about year of birth, but you can come to terms with gender, and you can update your sex based on it...
    "'Is not a quine' is not a quine" is a quine.

  • The German magazine was "Focus" and this was the quote:

    "New versions [of programs] are not offered to cure faults. I have never heard of a less relevant reason to bring a new version on the market."

    Pretty much sums up all their bug handling...


    JavaScript Error: http://www.windows2000test.com/default.htm, line 91:
  • by Bill the Cat ( 19523 ) on Tuesday August 31, 1999 @05:36AM (#1714961)
    It's funny that no one in the media seems to have figured out that hotmail runs on non-MS platforms (Sun?). Usually the software and hardware vendors are quickly blamed (eg. the ebay outages).

    It's a neat little situation MS is in. On one hand, it's a perfect situation to poke at a competitor, on the other hand, MS sure doesn't want to admit too openly that it's not using its back office products.
  • by jd ( 1658 ) <imipak.yahoo@com> on Tuesday August 31, 1999 @05:39AM (#1714962) Homepage Journal
    I watched CNN, this morning, and this was one of their leading items. Their take on the Hotmail story was: "Mail of any kind, unless encrypted, is never secure, and mail servers of any kind are never perfect".

    I was astonished. Sound, sensible comments from a news service??

    The other thing they said was that lawyers were looking into this, to see if Microsoft is in any way liable. After all, the problem was caused by negligence on their part, not some obscure bug or a skilled, daring cracker raid involving top security experts. Apparently, the TOS states that Microsoft is never at fault for anything that happens, but the reporter seemed to imply that not everyone shares that view.

    Assuming this isn't sensationalism by CNN, this story could get even more interesting, and possibly spell doom to the disclaimers liberally splashed over all software and online services.

  • OK, so everything's all patched up now, right?

    That's fine. Until, that is, the next time they implement some sort of new feature that does not play well with the existing aspects of the code, and something like this happens again.

    There are trade-offs between security and convenience, and there are legitimate gray areas. For instance, I use cookies to stay logged in to /. -- on a machine that is password-protected that only I have any reason to be using. Trying to remember large quantities of passwords (and having to depend eventually on password remailers), or using the same password (or small handful of passwords) on all systems, might be less secure or creating a "false sense of security" for people.

    All that said, however, there is NO excuse for the Hotmail situation. :P
  • Check out James Gleick's classic essay:



  • by qmrf ( 52837 ) on Tuesday August 31, 1999 @05:51AM (#1714970) Homepage
    Please note that no action on your part is necessary to take advantage of the updated Hotmail.

    Wow, really? Yesterday we could "take advantage of" Hotmail with a very simple action. Now it requires no action whatsoever? I'm impressed; these Microsoft guys make themselves easier to take advantage of every day.

  • I'll concede your point that this announcement was not as bad as it could have been. But we should really hold corporations to a certain degree of truth and frankness. If a Pinto explodes when hit from behind and Ford says "you may have heard about some service issues with one of our vehicles that raised some quesitons about safety; we assure you we've fixed it" we wouldn't (or at least shouldn't) stand for it. They need to release specifics about the problem and how they fixed it.

    It would be absurd to suggest MS should say "we suck." In fact, that would be just as bad because it would still obscure (or at least not reveal) the facts. At the very least, they should have a link from the PR letter to a technical description of the problem and exactly what steps they took to fix it.

    If consumers don't hold corporations to standards of disclosure, corporations will continue to evade and obscure responsibility.

  • by behrman ( 51554 ) on Tuesday August 31, 1999 @05:54AM (#1714982)
    I've read several comments here attempting to run Microsoft out of town on a rail for their statement, referenced in the abstract. While I don't think that running them out of town on a rail is such a bad thing, overall, I also think you need to give some credit where it's due.

    One of the worst things you can do, in my experience, is come out and say "Wow. Our system got totally borked, because we didn't think things all the way through and anyone who wanted could read your private mail. Oh, we fixed it, by the by." Sure, you can't deny that there was a problem, but you also can't run around proclaiming to the world that the sky is falling, or you loose any shred of confidence that anyone might have had in you.

    This was a fairly serious security breech caused by the implementation of a system before it had been throughougly tested or thought-through. That is inexcusable. And you can't just fix it and then never mention a word about it -- that undermines your credibility as much as a 'chicken little' reaction. Given the circumstances, I think it was a very appropriate response. They admitted the problem, they admitted responsibilty for the problem, and they issued assurances that the problem is fixed, and gave the usual drivel about being comitted to privacy and all that.

    As fluffy and irrelevant as all that may sound, when it comes to marketing/crisis handling, I think it was about as responsible as you can get. It certainly beats the usual 'feature-not-a-bug' argument, or the 'gee, it's because our Cisco routers got upgraded wrongly', or 'problem? what problem?'.

  • is that the more MS steps into the real networked world, the more we see this kind of screw-up. It all goes back to the mind-set at MS - it's fundamentaly a single-user mentality. This is not a hard concept for people to grasp - even for journalists and average users, who after all use MS products for the most part as single users.

    I sure wish someone would point this out in a big way.

    "Well, MS products are not secure in the real world 'cause they, MS, don't really understand mulituser, networked topology."


%DCL-MEM-BAD, bad memory VMS-F-PDGERS, pudding between the ears