
Update: MS Says Hotmail "Security Issue" Resolved 183
Bartleby writes "Here is MS's letter about the 'service issues that have generated questions about security.' A textbook example of PR-driven understatement. When my colleague and I logged in to his Hotmail account with no password using simple HTML, we thought it rated a little higher than a 'service issue.'" Previous Slashdot story about this Hotmail 'service issue' here.
Re:remarkable spin (Score:2)
I fully expected MSNBC to spout this company line but I was a little surprised that CNN just regurgitated this woithout doing a little digging themselves. (tsk, tsk)
I think what I heard was "some web sites posted codes which allowed visitors to gain access to user's e-mail accounts without their permission. Once the code was made available, it began appearing on many web sites until Microsoft took action to stop the unauthorized access".
Bleah. Should have been along the lines of "a security hole was discovered which allowed others to access hotmail accounts without requiring a password of any kind. This information was quickly shared on the internet and several web pages were posted with the necessary information to allow visitors to easily access hotmail accounts. Microsoft took hotmail servers down until the security hole was corrected."
Crap.
Contest! My favorite HotMail message is... (Score:1)
One coworker to another:
"The boss called last night and said the plumbing backed up in the office, so we're all supposed to take Monday off."
Or:
"Tomorrow is 'Frontier Days', so don't forget to dress accordingly."
One student to another:
"Are you ready for the big exam tomorrow?"
Or:
"Tomorrow's exam has been postponed for two weeks."
Dear John:
I've found a new man. Beat it.
Or:
Sally told me where she saw you last night. You've got some explaining to do.
Dear Jane:
What's this I keep hearing about you and your high school football team?
Or:
Sorry, but I've decided I prefer guys.
Bill Clinton to George Bush:
Just tell 'em you didn't inhale it.
Bill Gates to judge Jackson:
What's your favorite charity?
Re:Refund (Score:1)
Re:what bothers me (Score:1)
Unfortunately, they're too paranoid about potential competitors.
Re:VERY Typical... (Score:1)
Only for a Win32 binary . . . (Score:1)
Its not a question of stupidity but ubiquity. The idea is to make the source available.
How about this? (Score:1)
Suppose that instead of an obviously-flimsy screen door, your house has an ordinary door with a keyhole above the knob, and you have a key that fits the keyhole. Say it's a very fancy, flashy model, with an electric sign that lights up "LOCKED" in big red letters, or "OPEN" in green letters, respectively, when you turn the key.
Suppose the people who sold you the house assured you that it was impossible for anyone without the key to open the door. To prove it, they turned the key and pointed at the sign, saying "See? It says "LOCKED", so it must be locked. The only way to open it is with the key, and only you have that, so you're perfectly safe."
Now, suppose that, in fact, the changing of the lights on the sign is the only thing that happens when you turn the key. There isn't even a bolt installed as part of the "lock" -- it just says "LOCKED", but the door is completely open for anyone who tries to turn the knob.
But, suppose that you trusted the people so blindly that it never occurred to you to try opening the door when it said "LOCKED", or even to look at the edge of the door to see the bolt. You just blindly believed the people who sold you the house when they said that the door could not be opened without the key. After all, the sign says "LOCKED", doesn't it?
Now, when someone walks in and robs you, surely he is still committing a crime, but don't you think the people who sold you the house are just a little bit to blame as well, since the security that they claimed to be selling you was in fact completely non-existent? In fact, isn't it even just slightly your fault that you were either too stupid or too lazy to take even the most basic measures to ensure your own security?
David Gould
We know better, but they shouldnt have too (Score:1)
There are lots of security freaks, who dont do anything without encryption. I dont care so much what someone knows as long as it doesnt "appear" to impede me. If i feel secure and can do what I want to when I want, then I'm using that service. It is not an issue of education mom & pop. My mother would never have used a computer if not for aol. she will not bother with learning about windows let alone UNIX. Education is not the solution for large scale computer use, simplicity is. And there is where the true war is fought, ease of use and usefulness vs security and well designed. Shareware products tend to be much better designed and more secure, but Microsloth and AOHell tend to make more usable products no matter how lousy they are. Instead of trying to educate the masses, we as the development community should work on making highly usable and useful products for mom and pop.
Trust no-one (Score:1)
There's a lesson here kids: 97 year old snowboarding grannies are the major web demographic for a reason :)
Re:CNN's take (Score:1)
Re:CNN's take (Score:1)
Sorry
Re:VERY Typical... (Score:1)
Thus your discussion of OS is completely irrevelevent, hotmail is as usable as it is, without regard to OS or system architecture, although from what i hear it seems to favor only recent browsers.
Re:Why I use yahoo (Score:1)
So how did you come to choose hotmail over yahoo or any of the others. I use yahoo for the same reasons you mentioned, but I also like the fact that it is not such a haven for crackers and spammers (heck, MS wouldn't even delete the hotmail account that a trojan was emailing info to) and it seems to have a slightly better reputation. I loathe email from hotmail even more than AOL. Also, I can actually clean out my trash when I want to.
With Hotmail's security you don't need to clean out your trash - you just wait until an exploit is discovered and somebody else hijacks your account and deletes everything for you!
:-)
Some media are covering this (Score:1)
Wired [wired.com] and ZD Net [zdnet.com] also have stories up that debunk Microsoft pretty well. I just haven't seen any stories that get it right in "mainstream" press yet, like Reuters, AP, CNN, or NYT. Any links? I would think that this is a story that has some legs still...
JimRe:Placing Blame (Score:1)
Regarding the ebay outages (which MS blamed on Sun), the problem was that Sun did provide patches, but the ebay admins did not apply them. Is Sun responsible?
The Average Person Doesn't Have Open Eyes (Score:1)
details so all they want to hear is good
news. Even if it's lying to yourself, it's
better than the alternatives: reading HOWTO's,
spending time experimenting, and actually
admitting to yourself you haven't got a clue.
Microsoft is doing them a service by providing
only news they want to hear. (Write HTML
without knowing it! Use WordProcessors with
ease! Simple database management! etc. etc.)
Only people who look further than the surface
can see Microsoft isn't living up to those
expectations.
People who care about computers use Unix.
Hopefully their number will grow.
Why I use hotmail (Score:1)
But my hotmail account is practically a throwaway account. If the spam ever gets too bad, I toss it and sign up for another. No loss to me.
Anyway, it is a good service, for a free one. Anyone using this for any sensitive info at all however, is an idiot.
---
I have a Hotmail account. (Score:1)
The reason is that all I use the thing for is web site registration where they require you to provide an email address. Like, for example, Microsoft.
This is the ONLY thing I use it for, and have never given it out anywhere else.
That account now gets 4 or 5 spams a day. I pop in every couple of weeks and clear them out.
In the meantime, my main account hasn't gotten spammed in almost 2 weeks.
So there is a purpose for a hotmail account, and I'll continue to use it. If some script kiddie wants to read my spam, I don't care.
Joe D
Re:was on the coverpage of usa today! (Score:1)
Sure it is... (Score:1)
"I have no respect for a man who can only spell a word one way." - Mark Twain
look on the bright side.. (Score:1)
"not a bug, a feature" line.
Typical... (Score:1)
Unfortunatly, I feel that there is no such thing as bad publicity... how many people that are new to the internet will take a look just to see what the Hotmail service is like, only to continue using it ? Quite a few, methinks...
Re:Slashdot hypocracy bigger than usual (Score:1)
Any one knows how to close a hotmail account?? (Score:1)
Does any one know how to close a hotmail account??
If you do, please pass the tip.
Thanks, Mike
Bwahahaha (Score:1)
Wow. (Score:1)
What difference does that make? (Score:1)
By that reasoning, the only time RedHat should notify their customers of problems is when there's a bug or security hole in their installer, or some other RedHat-specific piece of their distribution. They bundle the kernel and all the various apps and tools and stick their RedHat Linux brand on it, so it's incumbent upon them to take responsibility for anything that goes into their distribution. If they're not willing to do that, they should yank the offending app from their product. For a company whose business model is almost entirely based on support and services, their response is not reassuring.
Cheers,
ZicoKnows@hotmail.com
Re:remarkable spin (Score:1)
The administrators of this site (Slashdot) made a point of not themselves publishing the URLs to the sites trafficing in the information needed to trespass. It's up to a legal body to determine if the fact that they then stood by and watched as users posted that information in forums they moderate implicates them.
Posting the specific details of a security exploit should not be illegal, especially when it is as simple as a URL. Software and security measures get better much more quickly when the details of an exploit are made public.
Many of the people who tried out the Hotmail exploit did so using their own account, or the account of someone who gave permission for the attempt. Those folks have nothing to worry about, and the other idiots will probably be saved by the sheer volume of break-ins.
Lame, lame, lame. (Score:1)
Re:VERY Typical... (Score:1)
What? (Score:1)
Second, the other compilers which you mentioned aren't nearly as much of a universal standard as Microsoft VC++ is. Thats what happens when you have a monopoly, microsoft used their leverage in the OS field to expand into other markets (development tools). Another sad fact of life.
Third, there is now an effort to port Mozilla/Win32 to DJCPP (a free win32 compiler).
And why are "Microsoft users such idiots" because Mozilla is compiled with MSVC++? That question doesn't make sense, but I'll take a stab at it. The average user doesn't really tell which compiler their web browser was compiled with, so they don't really get to choose which development environment it was written/compiled in.
...
remarkable spin (Score:4)
MS spokeswoman Erin Sanford is quoted as saying, "The security of our system is paramount and it was necessary to shut down Hotmail for a short period to stop this difficulty. We will be looking at how the information which created this problem was made public."
So, MS is saying the publishers of the exploit are the ones responsible for the problem. No way could it be MS's fault!
typical
Insincerity (Score:1)
Re:All fixed, until the next time (Score:1)
....hmmmm....what's your ip address?
Re:Placing Blame (Score:2)
In the case of the Navy vessel, the responsibility for the application crashing on a division of zero is clearly that of the application writers. They wrote the thing, it was their job to put in suitable checks and error traps.
On the other hand, an OS that crashes because an application crashes is no better written, and that IS Microsoft's responsibility. The OS should not be vulnerable to such knock-on affects, and should certainly have error traps of it's own.
In Hotmail's case, the OS was not broken. Nor was the web server. These performed their tasks admirably. The fault seems to have been in the CGI script, which is not the responsibility of the OS or web server programmers. The CGI script is the responsibility of those who wrote it. If, as others on Slashdot have alleged, the loophole was added at the request of Microsoft, then Microsoft shares the responsibility for that. Nobody else is responsible for Hotmail's CGI scripts, in any way, shape or form.
Re:Placing Blame (Score:1)
Here's the original story: http://www.gcn.com/archives/gc n/1998/july13/cov2.htm [gcn.com]
and a quote:
"Using Windows NT, which is known to have some failure modes, on a warship is similar to hoping that luck will be in our favor," DiGiorgio said.
Re:Let's see, now... (Score:1)
So why isn't a major security problem given the same priority?
Jim
Re:VERY Typical... (Score:1)
Yes IE5 is better than IE4, it does CSS better for one.
I don't like Microsoft, but I'm not so jaded that I can't admit when the do something right (or at least better than before).
-funcused
Re:VERY Typical... (Score:1)
Of course it won't. Internet Explorer 6 will likely be released solely to implement new (proprietary) "extensions" to web formats. Of course they will claim that they did this because so many of their current users were begging for it. And, incidentally, the new extensions will cause competing products to core/GPF/whatever. Very typical indeed.
Discovery is cracking, use is not (Score:1)
Discovery of the URL that allowed entry was a crack.
After it was published, using it wasn't difficult enough to deserve the name "cracking". Even script kiddies would disavow it I'm sure. I'd personally judge Microsoft's statements about the "advanced web programming knowledge" required to access mail accounts a plain lie to falsely reassure customers.
Having a rogue script active on a machine can be called a mistake, not necessarily negligence. I don't know if they tested the service enough to escape negligence there. However, leaving customers vulnerable for 10 hours after the exploit was widely known is awfully hard to justify, and I think it can be fairly easily documented.
What part of "anyone's hotmail can be read or sent by anyone on the web" didn't you understand Mr. Gates?"
Jim
Re:Any one knows how to close a hotmail account?? (Score:1)
If you're concerned about security, just delete all your mail. It only takes them a few days to empty the trashcan.
Jim
Re:Muaahhahahahahahahah! (Score:1)
the fact that ms fucked up is kinda so what'ish i mean kernels have bugs most linux software at one stage or another has A bug or a backdoor the minute MS fucks up you all laugh just like anyone eles there stuff needs debugging I honestly think you sould get over it? (No i am not Pro MS or Anti Linux)
Re:Now how much would you pay? (Score:1)
This has been mentioned several times. I think it's important to note that the ?acker's ability to vicariously write e-mail messages renders the question irrelevant.
It doesn't matter how much I payed for the mail service. If someone can represent themselves as me using the service then it could cost me quite a lot. The malicious intruder could reply to messages sent to me, delete important messages, subscribe my friends or business contacts to porn mailing lists, etc.
I'd say that, free mail or not, the amount of damage that could be done might easily exceed the cost of any mail service.
Re:Refund (Score:1)
Secure Web Mail analysis (Score:1)
Also noteworthy is that HushMail released their source code. [cypherpunks.ai]
If you ask me, it beats Hotmail hands down. :)
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
What bothers me most... (Score:3)
http://207.82.250.251/cgi-bin/start?curmbox=ACT
Simply replace ENTERLOGINHERE with the name of the account and it worked. This isn't even cracking imho. It's like when someone forgets to set a root password on a box that accepts root telnet logins. Typing "root" and hiting enter isn't cracking the box, it's stupidity on the admin's part. It's the same thing as leaving your car doors unlocked then complaining when your discman that you left on the front seat gets stolen. Microsoft left the proverbial door to hotmail unlocked.
The whole spin on this makes it appear to be "those bad hackers" attacking poor innocent microsoft. I'm sorry but accepting a URL as a form of authentication with no password checking is plain stupid. This reminds me of the at&t vs. mci story from a little while ago discussing how the two companies handled outages. at&t admitted to the problem and kept customer's informed about what was going on. mci blamed someone else and lost a lot of respect and possibly bussiness.
Microsoft needs to grow up and except responsibility for their mistakes.
Now how much would you pay? (Score:1)
Did we all somehow forget that Microsoft is a corporation? This is why Linux is here, and is thriving and growing.
Don't forget about the Big Brother Awards.. (Score:1)
Re: limited liability (Score:2)
However, the baseline established by state law tends to be pretty low. Were you killed by the product, or seriously injured? You can probably sue, unless the industy is explicitly protected by state law. (E.g., Colorado ski resorts generally can't be sued by the family of skiers who die or are injured.) Were you inconvenienced? Tough luck.
*IF* Microsoft, as owner and operator of Hotmail, had denied that any problem existed and continued to insist that its email service was "secure" despite strong evidence to the contrary, it *might* be such gross negligence that state laws would be triggered. But I doubt lawyers could do much with the facts known today.
Re:remarkable spin (Score:1)
Re:Placing Blame (Score:1)
Security issues can be solved but design mistakes speak of incompetent developers which could lead to the thought that M$ has incompetent programmers/developers in other departments as well which could make you think that all M$ software is crap (why do I have the feeling that there is a lot of truth in this...).
Gery
------------------------------
Re:VERY Typical... (Score:1)
--
Very good point (Score:1)
Re:Slashdot hypocracy bigger than usual (Score:1)
The key words here are "machines running amd." I don't run amd and nor am I required to. In fact amd wasn't even installed on my machine when I installed Redhat 6.0 -I did a custom install. Now if this was Microsoft I've would've had no choice. Software like am-util would've been installed by default even if I didn't want it on my machine. Also in case you didn't notice Redhat is informing people about the amd problems in a *VERY* public fashion, which is one of the reasons I like Redhat. On the other hand did Mircosoft inform *ANYBODY* about the problem with Hotmail? Nope. People really found out about it after the news (and it *DIDN'T*) come from Microsoft made it to Slashdot.
In other words, get lost MS-Flunky......
Re:The Average Person Doesn't Have Open Eyes (Score:1)
What could be more inefficient than the "Self-Executing Zip File"?
I don't know about most people, but I find
rpm -e blah-de-balh.arch.rpm
much easier than
Start>Control Panel>Add Remove Programs>blah-de-blah
Start>Run>Regedit>......
Sorry, but I consider Package Management to be the main disadvantage of WinDross.
Re:VERY Typical... (Score:1)
"Have you been using a computer long enough to remember when Netscape 4 was better than IE3?"
Yes. I have been using a computer since the CBM "Personal Electronic Transactor" was still a neat idea. I've been around for the entire life of the home computer revolution, both as a consumer and as someone deeply involved in the business. As such, I feel qualified to address (and make an expansive digression on) one of your next comments:
"Now add on to this that the company holding that monopoly does not have a history of innovation..."
I used to hate Microsoft (long before it became fashionable). I would have agreed wholeheartedly with the opinion expressed above. However, I think my long-term experience has modifed (perhaps mollified) my perspective. Here is my take, for those who care to read it, on why I believe that Microsoft is _THE_ pivotal player in the whole PC revolution (and I am not equating PC with "IBM compatible" or Political Correctness).
I started out my PC adventure using CP/M. I used to "pip" my files from one location to another, and used "ED" as my text editor. Digital Research wrote CP/M, and, yes, DOS is a clone of CP/M that Microsoft didn't even program themselves, but bought off of another company. Strike one against Microsoft and innovation.
Incidentally, in this extended ramble I am not arguing for Microsoft's innovation (when they _DO_ innovate - or when they blatantly steal - I will mention it, only because "innovation" was the core point of the message from which I have responded and diverged).
However, Microsoft did remarkably improve their CP/M-clone acquisition, and continued improving it for many years. When that "improving" stopped and bloat began is a subject of argument that I really don't want to spend time on. It is useful to note that Microsoft found themselves in this position because Digital Research fucked up. DR had the opportunity to supply the OS for IBM, but they dropped the ball and MS scooped it up. No, that isn't innovation on MS's part, but it is an early demonstration of the shrewdness which has allowed MS to remain the dominant player.
I spent many frustrating years as a salesman fighting against the MS/Intel duopoly. Almost any computer system on the market gave you more bang for your buck that did that combination. A lowly C64 was a better buy for many years than an MS/Intel machine. Still, the computer illiterate in those days, and many of the literate, were seduced by the letters I-B-M that was attached to the MS/Intel machines (and this included the clones and compatibles). They scoffed at graphics and sound. They were buying a BUSINESS machine for SERIOUS uses, and only someone interested in buying a TOY would buy THAT (THAT being anything which was better than what they were buying but not as magic, in their minds, because it lacked the association with IBM).
Digital Research dropped the ball again when they succumbed to bullying by Apple. GEM was a better MacOS copy than was Windows, but MS, either through bluster or negotiation (often the same thing) soon won the day with Windows. By Windows 3.1 they had invented a new market. So they copied the look-and-feel portion of another OS, and they got all of the credit. Strike two against MS for innovation. Apple _did_ deserve it, as they had ripped off Xerox and then bullied DR for following their example.
However, as before, MS improved their knocked-off copy until it was far superior to what they had copied (I expect that the Macintosh faithful will howl here). AmigaDOS was better, as was even the Atari version of GEM, but the IBM lemmings guaranteed that those systems would be marginalzed.
You know the rest of the story (maybe you already knew the preceeding. I don't know. But I felt the rehash was necessary to make my wordy penultimate point). Microsoft and Intel win the which-platform-has-the-largest-installed-user-bas
Anyway, for the penultimate point and the cause of this lengthy digession (Part I): the conformity that MS and Intel accomplished was a GOOD thing! Before, with the splintered market, computer technology proceeded at a snail's pace. Programmers had to develop for marginal platforms. This is very much akin to the VHS, Betamax and (in the UK) Philips 2000 days. Beta _WAS_ a better system, but fewer of the machines could be found in stores (there were no compatibles. Remind anyone of Apple?), so fewer titles were sold, and sales were hugely diminished. An inferior product wins. Just like Microsoft and Intel (Motorola had always produced a superior microprocessor).
Part II: So, Microsoft continued updating its products and OS to stay ahead of the competition (particularly their products. WordPerfect used to occupy the throne currently occupied by Word. Before WordPerfect, it was occupied by WordStar. Ditto Excel and Lotus and VisiCalc). It did NOT update products because it wanted to waste the money. I'm sure that MS would have been perfectly content to sell you the same product forever, never spending another dime on development costs. But competition drove the products forward. When products get bigger, they almost invariably get bloated. A (perhaps) nearly irrelevant aside: Think of StarOffice. What a bloated piece of shit. I hope Sun fixes it before they start hawking it as a viable aternative to MS-Office. No, wait, they don't have to - they can just hawk it as a non-MS alternative, and a certain large (and growing larger) market segment will come running.
Part III: Fatter products and OS's pushed forward hardware development. Accelerated it, in fact. Hand in hand Microsoft and Intel (and other conspirators) pushed the PC platform into the 600Mhz 13GB HD state that it is today. And I like it that way. If you don't want it or need it, there are plenty of 386's that you can buy at the Salvation Army or the Good Will or auctions, cheap, and Linux in console mode will run brilliantly. I, for one, am glad that it happened. A homogenized market is required for that type of development cycle, folks. And MS was/is the great homogenizer. "Oh, no!" some of you will gasp. "He is encouraging bloat to push the development of faster hardware!" No, I'm not. Bloat is never desirable. However, I maintain that it is often the BY-PRODUCT of rapid development, and that it produced some very desirable side-effects. I am grateful for my 380MZ PC with 64MB of RAM and 16MB Riva TNT video card. Do you think they would have come into existance without the market-collusion of MS and Intel? And, as the market matures (as it is in the process of doing now), alternative (better) OS's emerge which are leaner and use that fantastic hardware to maximum advantage. Then the cycle possibly repeats itself. We are only now nearing the end of the first cycle, so time will tell how it finishes. I mean, MS is very shrewd. It is relatively unlikely, but still possible, that MS will pull a rabbit out of its hat and surpise us all. It might be the victor in two cycles, this and the next.
As for MS innovation, I think that we owe the major improvments in browser technology to MS. CSS and XML were implemented by MS long before Netscape had thought about them. CSS in Navigator is shit. Now, I know that MS did not have pure motives. I don't care. But MS introduced CSS support (limited) in IE 3, and changed the entire picture. CSS support got better in IE 4 and 5, and now Opera and Mozilla are re-drawing the picture again. If (for their own greedy reasons, namely to wipe Netscape off the map) MS had not championed CSS, it is very doubtful that CSS and XML would be so integral to Mozilla. Score on for Microsoft innovation. Further, Mozilla would not exist if MS had not clobbered Netscape in the browser market.
Regarding MS's predatory tactics: all is fair in business, folks. We live in a free market economy. The company with the biggest stick and the most money wins, like it or not. We gave MS that stick by giving them our money.
Anyway, that closes this opus. I hope I see some thoughtful responses.
Ok, so sue me. (Score:1)
Anonymous cowards making incredible allegations about the "crimes" of people who dare to tell the truth in public carry absolutely no weight at all.
While you want to intimidate, track down and jail whistleblowers who have the integrity to sign their own statements and assume responsibility for them, I want you to enjoy your freedom to speak anonymously if you so desire to protect yourself from unlawful harassment because of what you have to say. As long as your statement itself doesn't involve a serious crime (and no, I don't consider simply informing the world about how crimes are committed one of those), anybody involved in the mere handling of your statements on your behalf should be required by law not to reveal your identity even before a court of law!
Such is the law in Sweden with respect to printed media, based on the principle that the publisher is solely responsible for what is being printed. Since Slashdot is an unmoderated medium, that principle can hardly be applied here, but that doesn't make the freedom it would yield any less desirable. I don't care that you don't have the slightest idea of what freedom of expression means, but I want you to enjoy that freedom as much as anybody else, because if you can't, then that freedom isn't worth a dime to anybody else either.
And, if you are still not convinced, please report my name and e-mail address to your nearest police officer, the FBI [fbi.gov], Interpol [interpol.int], or any Microsoft [microsoft.com] lawyers you know. I'm a system manager at a Swedish university, and it's my job to protect the privacy of our users as well as the integrity of our systems against attacks from anywhere.
Privately, I'm sick and fed up with silly government attempts at controlling the spread of information, such as bans on cryptographic software, laws regulating the mere mentioning of named individuals in electronic communication, "copyright infringement" claims raised against proxy HTTP servers, software patents, police snooping on private mail and so on.
I freely admit to a strong desire to circumvent any technical or legal obstacles placed in my way for no legitimate reason at all, and pointing out security flaws in computer software or service configurations - even to the point where continued operation of said software or service is jeopardized - is to me a good deed for the well-being of man kind.
I have decompiled and studied binary code without regard to any copyright on it, simply to satisfy my curiosity. I have modified the Netscape Navigator binary (international version) and configuration to enable US-strength encryption as well as change the "license agreement" nonsense into something in line with Swedish law for the benefit of our students (we don't accept "shrinkwrap" licenses over here), without asking Netscape. I routinely press the "Accept" button whenever I install software at work or at home, knowing that it means approximately "null and void" to me. I may read the "license agreements" after installation, just for the fun of it. I have transmitted encryption software across national boundaries. I have exploited security holes in computer systems owned by others, without their authorization, to obtain useful results such as improved network connectivity.
I scoff at the obscene claims [algonet.se] made by German authorities to "own" Adolf Hitler's literary works, and I'll gladly make and distribute copies of Mein Kampf or any other garbage he wrote whenever I feel like it. I conspire with my friends to change the ways things happen around the world, whether in politics or in business, not merely by voting in elections or participating in marketing polls. I believe I do all this in full compliance with the law and with judeo-christian ethics, but if I don't, I'm prepared to defend my actions in court.
I challenge you to report all the above to the appropriate authorities, simply as an experiment to show how futile that is, and how pathetic your remarks are. I promise you that I will not have you prosecuted for making any false accusations against me (though I cannot answer for any actions by others). Ain't I kind? Believe me, it's hardly worth the cost of a phone call.
No, I'm not giving you my residential address. I may be frank, but I'm not stupid. If you are serious, you could either ask my ISP Algonet [algonet.se] (it's my primary private ISP, not a mailbox hideaway), or you could ask Datainspektionen [www.din.se], the Swedish government agency charged with maintaining the register of those who maintain databases with personal information, for the owner of registration license number 9999110043 [algonet.se] (it's mine). Make sure to include ample copies of any evidence you have against me either committing a crime or violating anybody's privacy by storing their names electronically (I'll mention Bill Clinton, Börje Ramsbro, Håkan Nordquist and Tomislav Micic to give you a fair advantage). Good luck!
Jerk.
Re:Slashdot hypocracy bigger than usual (Score:1)
Gads, you really are an idiot. So NT users can't choose which services to run? Tell us another one. And yeah, RedHat's being so public about all their bugs the way they bury it on their website. Guess they wouldn't want all those Wall Street investors to be able to see how shoddy it really is.
As for informing people, thank you for showing the hypocracy that I'm talking about. The reason a lot of people here found out about the Hotmail problem here before Microsoft said anything about it is because Slashdot ACTUALLY REPORTED IT -- whereas they DIDN'T REPORT the RedHat problem. If they held RedHat to the same standard that they hold RedHat, most people here indeed would have heard about it here first; plenty of people knew about the problem before RedHat ever deigned to mention it. Nice try, junior.
Cheers,
ZicoKnows@hotmail.com
Re:Nothing but ... (Score:1)
Does anybody remember the USSR's excuse for waiting nearly three days to announce the Chernobyl disaster to the world, even to countries directly in the path of the fallout? The accident occurred on a Friday (or a Saturday), and they waited until Monday because, they said, "the governments of most advanced countries are closed on weekends."
Hmmm. Hotmail and Chernobyl. Now there's an analogy I can live with...
--
Re:Why I use yahoo (Score:1)
But they don't! They just get moved to a trash folder where it will, someday, be cleaned up. MS even advised users (that asked) to check if they had messages in there trash. If you had something sesnitive on your hotmail account and an exploit was discovered, you couldn't get rid of it. On Yahoo!, you can delete everything and them "Empty Trash". That's the point I was trying to make.
Re:This was *NOT* a bug. (Score:1)
So.. I hate to say it, but this "typical of Microsoft" thing is only in your mind, this time.
(Note: at various times yesterday during Hotmail's patching periods, any attempts to read your mail @ Hotmail via MSN Messenger failed, with 403 as the result. However, that hasn't been the case for well over 12 hours now)
8 Days, or "Before any damage was done" (Score:1)
The fact that the hotmail story never made in onto their main page (unlike everyone else) speaks volumes as well.
I guess MSNBC gets stories about 40 million email accounts being compromised all the time. Princess Diana death from 2 years ago is more newsworthy.
Please.
Re:Hmm...doesn't this go against Bill's Philosophy (Score:1)
--
Slashdot hypocracy bigger than usual (Score:1)
Hmm, let's see. Microsoft announced the problem on both Hotmail's home page, as well as on the home page of www.microsoft.com.
Now, what I'd like to know is: Why isn't Slashdot bitching about Redhat? The am-utils package that they've been shipping is "being actively exploited on the internet" to give root access on machines running amd. Wow! Something like that's just gotta be on RedHat's home page, right? Ooops. Guess not -- not a single peep.
So, after clicking on "Updates, Fixes, & Errata," I still see no warnings. Click on "Redhat 6.0." Click on "amd." Ahh, finally!
I dunno, but for a problem that's being "actively exploited on the Internet," you'd think that (at least by Slashdot's apparent standards), RedHat would be making a lot more noise about this. At least the Hotmail hole is no longer there.
Face it, you would've been bitching no matter what they said while giving RedHat a free pass on all the holes that have been uncovered in just the past month.
Cheers,
ZicoKnows@hotmail.com
But *what* was broken (Score:1)
We all know that Hotmail runs on a *BSD/apache platform.
However people have said that it was the passport side that was broken, and this is a newer feature, which is used across several services. This raises questions (to me at least):-
So many questions, so little chance of answers :-(
Was anything about the technique posted by the crackers?
Re:Oh please shut up (Score:1)
Obviously a comment from a microsoft stockholder, disgruntled NT admin (god knows I would be, if I had to work on that godforsaken abomination 40 hours a week), or an idiot in the Navy who recommended moving from UNIX to NT
Re:remarkable spin (Score:1)
Kintanon
Media Pablum (Score:1)
The sad part is that 99% of the world doesn't understand the problem, so press releases that say "security issue" and "everthing is ok" will be heeded by the masses.
Why can't Microsoft just own up and admit theat they screwed up. And then fire the idiots that wrote the code in the first place!
Hmm... (Score:1)
IMHO, the only thing you could do for a security hole in that time is move it to another part of the code, and hope that you can actually fix it before someone else notices the problem. Does anyone know what Microsoft claims to have actually done?
It is really that bad (Score:2)
Now I don't have definative proof, but a comment above stated that this was not a bug, but a deliberate security hole put there by Microsoft to allow MSN Messenger the ability to log in to Hotmail without a password. With all of the warring going on between MS and AOL, it's pretty believable that this could be exactly what happened.
They admitted the problem but completely downplayed it. It's a hair short of flat out lying about it. That is not the kind of behavior you'd expect from any other multi-billion dollar corporation, but it's what we've all come to know as typical arrogant elitist MS speak.
Re:remarkable spin (Score:1)
Look at it this way: let's suppose Ford made a car with the keyless entry system, and designed it so that merely by pushing all the buttons simultaneously the doors would unlock. Maybe the engineers knew that would happen, maybe they didn't. But then people chance upon it and spread the word around, via word of mouth and/or Internet.
If my Ford got stolen in this manner, sure, I'd be mad at the thief and want him caught and prosecuted. But I'd also be mad as hell if I found out the theft was due to oversight on Ford's part that made it simple to circumvent the car's security. Especially if I found that Ford KNEW about the exploit and decided to still sell these cars, even if just one car, after hearing about it.
Would I be angry at people who had shared this info with others? Would I want them prosecuted? No.
You hope that a database is built logging identities of people posting comments. Well, that's a nice totalitarian sentiment. For your sake, I hope you never visit any sites that you wouldn't want your mother to know about, or ever once discuss something you wouldn't want aired in public. Because what you wish for could be applied to you as well.
And your ominous tone is silly, too. Look, I'll say "I broke into the Pentagon's computers" logged in, not AC.
There's a reason it's called Anonymous Coward
Re:All fixed, until the next time (Score:1)
http://www.student.wau.nl/~olivier/gpasman/
Re:VERY Typical... (Score:1)
I assure you that I have both the knowledge and the capability. But ad hominem attack is easier than a thoughtful reply, which is why you used it. Much better would have been a reponse along the lines of:
"X should have font-rendering in version 4, so there is one of your quibbles taken care of," or something else that would have been germane and constructive.
Why I don't use yahoo (Score:1)
b) At work I am forced to use Outlook Express (on NT4! Bleeeech!). It can directly check my hotmail account. Easy, and it works well.
c) Yahoo sucks. Yahoo has sucked for a long time. I dont ever use Yahoo for anything at all, ever, just on general principle. Ever since Yahoo started offering EVERYTHING, I stopped using it. A site should do one thing and do it well, IMHO, and I hate these so called "portals" that try to do every damn thing. Yahoo mail, yahoo auctions, yahoo friggin' maps... The hell with it, fuck yahoo.
anyway, just my opinion.
---
Re:Slashdot hypocracy bigger than usual (Score:1)
If RedHat and the other Linux dists hides these annoucements like you claim, then why can they be found on nearly all the Linux newsites like Linux Today and LWN? You truly are a Microsoft-paid moron you know that? The fact is really easy to find out if there is any sort of "Security Issue" with Linux or BSD software. It's nearly impossible to do the same when you have Mircosoft running around denying that there is even a problem to begin with 99% of the time.
Proof that HotMail CGI Bug known about since 1998. (Score:1)
I am quoting from
http://www.w3.org/Security/Faq/wwwsf4.html
"HotMail
The CGI scripts that run the popular HotMail e-mail system use a flawed security system that allows unauthorized individuals to break into user's e-mail accounts and read their mail. This problem is known to affect the version of HotMail that was in place as of December 1998. For further information, see these links:
http://email.miningco.com/library/nus/bl120898-
http://www.geocities.com/ResearchTriangle/Lab/6
Specifically the first link..
Quoting from that link..
"Hotmail Accounts Easily Accessed by Hackers
Hotmail is still extremely vulnerable to hackers who try to gain access to other people's email accounts, Shailesh Govekar and Krishnan VenkataRaman, software engineers at Lisec Software, have found out.
It may be easier than you think for other people (malicious or not) to read your (Hot)mail. They do not even need your password. All it takes is a URL and the user whose email they want to read to be logged in.
Sneaking the right URL out of Hotmail's database is easy and can be done at any time with only the user name of the account-to-be-hacked.
On their Web site Govekar and VenkataRaman describe the necessary steps in detail. A URL looking like http://www.hotmail.com/cgi-bin/password.cgi?login
If, for example, we insert "exhibitio" as the username, the URL is http://www.hotmail.com/cgi-bin/password.cgi?login
The problem is that Hotmail uses neither HTTP authentication nor cookies to ensure an account is accessed only from the computer that originally logged in to the account. "
Now, Lets take this evidence against Microsoft's Pr crap..
EOF
Re:Proof that HotMail CGI Bug known about since 19 (Score:1)
http://www.hotmail.com/cgi-bin/password.cgi?log
and all i got was an "Internal server error" message, not an "invalid password" or anything similiar.. Makes me wonder, vaguly, if there is still something to this bug.. I doubt it, but might be worth looking into.
Server Name: lc3-lfd63.law5.hotmail.com
Your Browser (User Agent) = Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)
Last Task (ScriptName) =
RequestMethod = GET
QueryString = login=ACCOUNTNAME&curmbox=active
EOF
I think it is (Score:1)
Well it does ... (Score:1)
Re:Let's see, now... (Score:1)
"Microsoft was notified early Monday morning (August 30,
1999)
Maybe the company only operates 9 til 5 in one timezone.
Isn't their HQ in the west of the USA, thus putting them behind
Asia, Africa, Eruope and most of America...
The MS Spin Machine Sputters? (Score:1)
IMHO, the Microsoft spinmeisters must have been asleep on this one.
Why, you ask? Well, I was up late last night reading and listening to the radio and the news on one of the local mass-media radio stations ran the story on the Hotmail security hole. More and more people are going to start hearing more and more about the gaping security holes and start questioning whether they want anything to do with MS software. Those who already understand why the lastest virus scare is a problem and how it works must already be asking themselves ``Why did I spend my hard earned money on this stuff?''
(Normally I despise the news media feeding frenzies but when it's directed in the right place, it's actually sort amusing. We may not be seeing one just yet but MS has a few cuts and there might be enough blood in the water...)
Re:Hmm... (Score:1)
Re:Lame, lame, lame. (Score:1)
It just made Channel 4 News in the UK too (Score:1)
They had a rather ill-informed report, mentioning the Cult of the Dead Cow and Back Orifice, and then went on to a head-to-head between the MD of MI2G and some woman from Microsoft.
Unfortunately, neither the MI2G guy or Jon Snow actually pinned her down to anything, and let her get away with the party line of "Isolated incident.. not a problem.. all the fault of the hackers.. E-mail's never secure anyway."
He almost got her on a few, like "Wasn't the service up for a while after you noticed before you pulled the plug", but didn't follow up when she fluffed him, and they didn't bring up the possibility of it being Microsoft's fault/responsibility. Jon Snow finally summed up with a "Let the viewers decide" line.
Bit of a shame. I feel they didn't really research it too well. Jon Snow did a Bill Gates interview once, and asked him something like "Your personal fortune could supply running water and good sanitation to every person on the planet. How do you feel about that?" Ended up making Billy-boy seem like the devil incarnate. =)
Re:VERY Typical... (Score:1)
I am often asked about Linux because I use it, and many of our customers are very interested in switching (mostly because of the "I hate Microsoft" and not because "Linux is better" - although, to define "better" I admit requires a more subjective description which I think you know enough about already.)
I freely admit that I dislike windows, but the thing that is currently keeping more people away from Linux is that it is different from Windows, and yes, more difficult to use (for now). Companies such as Red Hat (and others!) are fixing this, and yet certain members of the Linux community hear about this and immediatly scream "Red $hite SuX0Rs!" Well, we still have some way to go I guess.
I am not going to specifically respond to any of your points however, because they are valid. If YOU dislike the tarball/RPM conflicts for example, you are certanly entitled to. But Linux is always improving. I am patient. I just hope to be here to welcome you when we get these things fixed, so we can have our beers and relax.
Cheers!
Re:Hmm...doesn't this go against Bill's Philosophy (Score:1)
That's not quite true, since certain SPs have mattered a lot in terms of functionality (e.g. IIRC, NT DX3 support came in a service pack...), but it's why you don't hear that suddenly MS released MS Windows NT 4.39.110+ or so. Release a patch, but it's not a full release; they're not going to ask stores to discard their stock and issue newly mastered versions; and it's not going to be billed as another "release".
That's the same way that, say, most Linux distributors (probably all), do not increment their version numbers for every single Errata patch and make sure to add more features before calling it a new release.
Re:Oh please shut up (Score:1)
Let's just throw away all the fanatical, biased crap for a minute and think real long and hard about it from a business standpoint: If you say something like this, your credibilty will be forever shot, and you'll probably never recover. As much as you and I would cackle with glee over the demise of MS, only an utter idiot would expect that any company would release such a self-destructive statement.
You might argue that nobody has any confidence in MS as it is, so why would it matter. Of course, that would be incorrect. I have no confidence in MS's abilty to market a secure, reliable product. But, I assure you, there are plenty of people out there that don't know any better. If there weren't MS wouldn't be making money.
So, we come back to the crux of the issue: MS borked things up real bad. There are a couple different ways they could have dealt with it. While shifting the blame from themselves to the scapegoat of "evil hacker guys" isn't very accurate, it didn't get the usual microsoft treatment of 'That's a feeeeeeeture'. Or simply ignoring it. Or fixing it and not saying a word about it.
I guess what bugs me about the whole ordeal is that instead of focusing on the fact that they built themselves a gaping security hole that they either never bothered to check for, or found and left alone until someone else pointed it out, everyone is nitpicking on their announcement. And that announcement isn't half as bad as some of the others that I've seen from other companies. At least they didn't say "we can fix the bug for any customer that can prove they really need the extra security afforded by a password". :)
Timeliness? (Score:2)
Also, they were quoted on CNN (I think) that none of their users had complained, so they hoped that the effect was minimal. I know that I, for one, sent an email informing them of the problem, and urging them to take it down until it could be fixed.
My suggestion for MS? Come out and admit that they screwed up, and badly. A little honesty would go a long way.
Refund (Score:2)
We know better (Score:2)
Sure, the technically minded people in the world realize that this is PR, and that M$ is chock full o'holes. With macro viruses, Back Orifice, hotmail, the ping-o-death and a slew of other issues that are never quite 'resolved' in the technical sense, the computer professionals and an increasing number of knowledgeable users are more and more sying away from M$. The success of Linux is a testament to that.
But the vast majority of the computer users out there, the ones that think Microsoft is the only software company out there, the ones that subscribe to Microsoft Internet and download a new version of the Internet everyday, and fax by holding the paper before the monitor, and complain when their cup holder breaks... They're the ones who pay good money into M$ coffers, and fund the bloat-fest and PR campaign.
M$ made the PC accessible to virtually everyone, and now preys on the ignorance of the averabe user. What's needed is an organized effort at educating the mom-n-pop computer user. What's needed is a way to tell the truth, because M$ fails to do so.
Re:Principle 1. (Score:3)
Well, I don't know about year of birth, but you can come to terms with gender, and you can update your sex based on it...
---
"'Is not a quine' is not a quine" is a quine.
Re:Hmm...doesn't this go against Bill's Philosophy (Score:2)
"New versions [of programs] are not offered to cure faults. I have never heard of a less relevant reason to bring a new version on the market."
Pretty much sums up all their bug handling...
-mparcens
~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript Error: http://www.windows2000test.com/default.htm, line 91:
Placing Blame (Score:3)
It's a neat little situation MS is in. On one hand, it's a perfect situation to poke at a competitor, on the other hand, MS sure doesn't want to admit too openly that it's not using its back office products.
CNN's take (Score:3)
I was astonished. Sound, sensible comments from a news service??
The other thing they said was that lawyers were looking into this, to see if Microsoft is in any way liable. After all, the problem was caused by negligence on their part, not some obscure bug or a skilled, daring cracker raid involving top security experts. Apparently, the TOS states that Microsoft is never at fault for anything that happens, but the reporter seemed to imply that not everyone shares that view.
Assuming this isn't sensationalism by CNN, this story could get even more interesting, and possibly spell doom to the disclaimers liberally splashed over all software and online services.
All fixed, until the next time (Score:2)
OK, so everything's all patched up now, right?
That's fine. Until, that is, the next time they implement some sort of new feature that does not play well with the existing aspects of the code, and something like this happens again.
There are trade-offs between security and convenience, and there are legitimate gray areas. For instance, I use cookies to stay logged in to
All that said, however, there is NO excuse for the Hotmail situation.
Sadly, Microsoft PR is nothing new (Score:2)
http://www.around.com/microspeak.html
D
----
"Taking advantage of" Hotmail (Score:3)
Wow, really? Yesterday we could "take advantage of" Hotmail with a very simple action. Now it requires no action whatsoever? I'm impressed; these Microsoft guys make themselves easier to take advantage of every day.
I still disagree (Score:2)
It would be absurd to suggest MS should say "we suck." In fact, that would be just as bad because it would still obscure (or at least not reveal) the facts. At the very least, they should have a link from the PR letter to a technical description of the problem and exactly what steps they took to fix it.
If consumers don't hold corporations to standards of disclosure, corporations will continue to evade and obscure responsibility.
Is it really that bad? (Score:3)
One of the worst things you can do, in my experience, is come out and say "Wow. Our system got totally borked, because we didn't think things all the way through and anyone who wanted could read your private mail. Oh, we fixed it, by the by." Sure, you can't deny that there was a problem, but you also can't run around proclaiming to the world that the sky is falling, or you loose any shred of confidence that anyone might have had in you.
This was a fairly serious security breech caused by the implementation of a system before it had been throughougly tested or thought-through. That is inexcusable. And you can't just fix it and then never mention a word about it -- that undermines your credibility as much as a 'chicken little' reaction. Given the circumstances, I think it was a very appropriate response. They admitted the problem, they admitted responsibilty for the problem, and they issued assurances that the problem is fixed, and gave the usual drivel about being comitted to privacy and all that.
As fluffy and irrelevant as all that may sound, when it comes to marketing/crisis handling, I think it was about as responsible as you can get. It certainly beats the usual 'feature-not-a-bug' argument, or the 'gee, it's because our Cisco routers got upgraded wrongly', or 'problem? what problem?'.
what bothers me (Score:2)
I sure wish someone would point this out in a big way.
"Well, MS products are not secure in the real world 'cause they, MS, don't really understand mulituser, networked topology."
Simple.