The Significance of the Hotmail Crack 185
Slothrup writes "Telepolis has an interesting piece linking the problems at Hotmail with the Sun purchase of Star Division. An excerpt: 'What this the Hotmail hack shows is that the Internet's self-regulation
doesn't work anymore because it relies on the assumption of more or less
equal participants. This is clearly no longer the case.' " Interesting piece. Definitely worth a read.
How can you call it a crack... (Score:1)
Re:you get what you pay for.. sometimes. (Score:1)
Re:It matters not who, but how fast.. (Score:1)
Similarly,
A feature is an undocumented bug.
Hotmail crack Editorial cartoon! (Score:1)
See it here [syndicam.com]
---
Re:Access From ANYWHERE (Score:1)
Also, it keeps other people from grabbing my nickname and masquerading as me from a hotmail account...
minimal knowledge (Score:1)
The thing that gets me is, ma and pa computer user routinely f*ck up their machine, refuse to pay for needed upgrades, and call their ISP to help them install a game for their kids. I have been fielding tech support calls (in addition to my other duties) for about a year, and it burns my buns! These people don't know and they don't want to learn. "I'm computer illiterate." Well then turn the damn thing off and donate it to a school or something!
Whew. Sorry for that, it's been a hellofa week.
The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk
Why Hotmail will lose few, if any, users (Score:2)
One the one hand, you have people like me who use Hotmail as a spam catcher. (I do actually skim for actual messages to me once a week or so, in case someone's trying to reach me through it.) If someone got into my account to read all my spam, I couldn't really care less.
On the other hand, for those that actually use it as a major provider for their email, they've got to weigh the possibility of a breach happening to Hotmail in the future (and not happening to the other web email services) against the hassle of getting all their acquaintances to use their new email address. As someone who still gets email from an account I closed over two years ago (it still gets forwarded to me thanks to an understanding ISP), I can testify that it's a pain. You also have to consider that those people who do use web email as a major provider are rarely the type to come into contact with hacker types -- they're more the ma and pa type of user -- and were very unlikely to be targeted.
Cheers,
ZicoKnows@hotmail.com
Why not switch. (Score:1)
And like with any product or service, there will be a portion of the population that won't care that they're getting ripped off.
If security was a concern, storing mail at hotmail is an obvious no-no, even for a novice user (who chances-are not have much concern for security).
What is important is that the average user hear about such poor service, and switch.
nerds & cars? (Score:1)
Re:Sun is living in the past and MS is -- well -- (Score:3)
Honestly... Weather the software is open source or not won't matter to Sun. Its just that RIGHT NOW the available commercial software is better for the markets they look at (Koffice will be _great_ but its not there yet, and its not written in Java)
And the server-centric model is the right one... At least from a management perspective.
--
We are Microsoft. You will be assimilated. Resistance is Futile.
Re:I'm dumpimg my Hotmail accounts (Score:1)
Screw Sun (Score:1)
I'll keep my data on my own box, and not use a thin client to upload everything to their servers, thank you very much. Bugs wouldn't be my biggest worry -- it's the idea that my data could be held hostage by some sysadmin honked off because I nailed his wife or riled up about some joke I made about Scott McNealy's gigantic fucking teeth. Forget that mess.
Cheers,
ZicoKnows@hotmail.com
Re:Not self-regulation; market regulation (Score:1)
However the most probable reason that Hotmail is so popular is that it isn't a bad service. A lot of the webmail alternatives are probably no more secure or reliable.
Re:trusting MS? (Score:1)
Hotmail was NOT 'cracked'. (Score:1)
you get what you pay for.. sometimes. (Score:2)
Re:Screw Sun (Score:1)
And I didn't say thin-clients were right for EVERYONE...
But for the a-technical masses, they're idea.
--
We are Microsoft. You will be Assimilated. Resistance is Futile.
I'm dumpimg my Hotmail accounts (Score:1)
Not self-regulation; market regulation (Score:2)
If MS had a natural monopoly in freemail (like if Hotmail had a patent on the concept), I'd agree that self-regulation is insufficient. But in this case, the loss of customers and ad revenue for Hotmail, not to mention loss of MS credibility, will hurt them more than a few lawsuits from disgruntled parties.
Translated:Hotmail breach == sex scandal in Sweden (Score:1)
Hotmail Scandal - Sexbuyer identity revealed?
Someone has hacked an email account that belongs to two young prostitute girls and sent out their correspondance on Internet. There is revealed the name and telephone number of many of their clients. "I want only to know if they were prostitutes for real", says a medium director whose name appears on the correspondence.
On Monday the Express revealed that anyone could read other's email at Microsoft's email without entering a password. After that the Microsoft staff took the whole ten hours to fix the problem before it could work safely again. During this time, someone accessed the email account of two prostitute girls, then posted the messages on an anonymous homepage on an american server where who that everyone could read them.
Intimate details
On the homepage is revealed many intimate details about those who wrote the messages. "I am a pleasant and kind person, married, who needs more then what I get at home", writes a man whose name and telephone number appears on the homepage. Many of the persons who wrote to the girls explained that they are businessman who sometimes seek escorts in Stockholm and want to have contacts. The person behind the homepage request readers write email and call the men. A director in a well known medium company appears on homepage. He has written email to the girls and wrote "I am seriously interested in french lessons with you on a continuing basis. Can you tell more about your lessons, it would be nice if you also could attach a picture with the course plan". When the Express contacted him he knew already that his name and phone number was on the webpage "It is horrible and I understand that it is easy to ruin one's reputation" he said. He maintains that he did not buy sexual services and he only was curious to find out if they really were prostitutes.
The homepage where the names appearede is on an american webserver there who everyone can log on tanonymously for free. Therefore it is impossible to find out who is behind the page with the sensitive information. "What has happened with Hotmail is regrettable, but it is a whole other thing to take someone else's information and publish it on a website", says Lars Backhans, Microsoft's highest official for Hotmail in the Nordic Countries. "This here is abominable"
---
trusting MS? (Score:1)
Re:Wha? (Score:1)
"Okay. Sure, it's easier and cheaper to store everybody's money in a few large organisations, let's call them
banks, but that same concentration, while it may mean that one single security flaw can expose all that
money to theft, I wouldn't want to suggest that we all therefore stuff our mattresses with banknotes and
sleep with a pistol under our pillows."
There are people who've been burned and lost enough to banks that this is not joke, not sarcasm, and take this comment seriously.
Re:you get what you pay for.. sometimes. (Score:1)
part of the "crumbling infrastructure" so that more taxes can be raised.
It is just an indication (Score:1)
But it is not mail author concerned with. What happens when Sun would release StarPortal? Your spreadsheets (say financial info) and word-processing documents would be stored on the network servers and they would be vulnerable to the same attack as Hotmail.
If hotmail crack didn't exist and this document wasn't written, Microsoft should invent both theirselves (or did they?), just to show people that Sun offering (which is cheaper and more featureful) is wrong way to go, and user should still pay MS and hardware manufacters for more bloated software and more heavy notebooks to carry personal data around.
Don't tempt fate (Score:1)
Jesus, don't go giving them ideas!
Re:No disempowerment for the technically aware (Score:1)
I've only bothered reading the line in the extract about the hack disproving self-regulation, and as far as I'm concerned, it goes to prove the point: we're not ALL braindead morons, and we shouldn't have to pander to those who are.
(The rest of the article is going to remain unread in the light of that extract alone.)
Agree entirely about risk assessment, etc...
Anyone got an uzi for these journalists?
~Tim
--
Re:blah (Score:1)
Not one person, all people. It took me about 2 minutes from I heard about the hack till I had the URL that let me get into anybody's email. That "Hotmail was hacked" is just a not correct, that "a method was uncovered that let anyone get into any user account at Hotmail" is a more precise description. Get the facts straight.
I could for example have used this opportunity to log onto admin@hotmail.com (yes, it was also open), sendt a mail requesting some personal information from the users, and I could have waited there about 13 hours to collect the answers because MS didn't shut the server down and gotten home, free, and away with loads of information I should not have had. And that is just one thing you could have done, there is plenty of others.
"The future is already here, it's just not evenly distributed yet."
- William Gibson
"The future is already here,
it's just not evenly distributed yet"
Re:oh, users pay (Score:1)
" phil
Kinda please with himself for worming the Nazi comparison in...
Except that you killed the thread by godwin's law.
Why haven't you been moderated down to -5 or so?
Re:the net "for everyone else" (Score:1)
It's pretty easy for someone to misunderstand you there, considering what ISP stands for.
What complete utter stupidity (Score:1)
Self regulation does work, unless you as an individual do not let it work for you.
There are so many companies out there offering the same exact service as hotmail.com that there is nothing preventing you from switching. Hell, I even got a ad for a free email account from American Express.
This is what is so utterly stupid about some of these internet evaluations and mergers. For example geocities. What is it about geocities that makes them worth $5 trillion? Nothing, the technology and infrastructure can be put together for a few million in under a year.
And has been shown over and over again, people do suddenly switch from using one web site to another, from one fad to another.
The only thing keeping people at hotmail is their own stupidity. It has nothing to do with Microsoft being huge.
Hmm .... an interesting thought. (Score:1)
Free services
by overly large companies like Micro$oft
do not NEED to worry about the well being
of their users.
I mean, if M$ killed hotmail right now, what
would happen? Or if they limited it JUST to the
MSN users
add
Some million or so users would be out of a cheap
but effective free webbased email.
And I'm sure Gates would just be shaking in his
booties about that one
.....
Open Source has nothing to do with this issue
as I see it
did not 'come to the rescue' because they could
AFFORD to wait
Everyone is complaining that their security was
comprimised. So. Did you leave hotmail for
another provider?
'nuff said.
Re:Wrong, wrong, wrong. (Score:1)
More regulation is bad - If "e-mail sites like hotmail" were disallowed from disclaiming responsibility for their *free* service, then that aso means that if you wanted to offer a similar free service--- you'd be responsible if it screwed up. They're charging $0, the service is offered "as is, with no warranty", what's the problem?
People shouldn't sign away their rights and then complain when they don't have them any more. Before you press "Agree", read what you're agreeing to, and only press "Agree" if you agree!
Re:oh, users pay (Score:1)
Please enlighten...
Re:Whiners (Score:2)
-
Why should you trust free email services? (Score:1)
People should use pop3 with pgp installed. Besides who likes to by owned by Microsoft anyway.
When people subscribe to free email the service provider isnt obligated to do anything. He could sell your email address to some advertiser although he says he wont (who's gonna know anyway?).
I belive free email services are a problem on the Internet and the source of many spam emails people receive.
Think about it
guess this makes *nix look better (Score:1)
Access From ANYWHERE (Score:2)
WHAT?
Were you not listening to what we were talking about? Hotmail sucks, it's got a crap HTML interface that's slow and full of adverts and it's not secure and full of spam. What on earth would you want a Hotmail account for?
You get to choose your own username and you can access from anywhere, not just from college. It would have been useful when I was in America last month.
Um, yeah, or you could just get a proper pop/imap box from somewhere other than your school and learn how to access it from another computer. It's not hard.
Didn't work of course. She's still planning to get a hotmail account. Nothing I could say would convince her otherwise coz all her friends are using hotmail and they all think it's great coz you can access from ANYWHERE.
Bah. I'd sooner telnet to a pop3 port than face the nasty Hotmail interface.
Free Cryptography is already available (Score:1)
movement is doing a lot in this direction. Cryptography is on top of the list. Free, easy to use, public domain cryptographic tools are a necessity. And with a few targeted public research grants they could become a reality rather sooner than later. An other
The Gnu Privacy Guard [gnu.org] already provides freely available, easy to use public key cryptography. It's extremely simple to integrate it as a filter in eg. Pine or your favourite mailer. Version 1.0 is due out RSN, and 0.9.11 was released today.
- Aidan
slashdot makes CNN.COM on this one (Score:2)
It's quite a compliment when cnn gets it's news by reading slashdot. Tee-Hee!!
Re:Access From ANYWHERE (Score:1)
Re:the net "for everyone else" (Score:1)
Since the Internet is a no-boundaries system, you'd be dumb to locate in a regulated area when you can offer the identical service in a less-regulated (read lower-cost) area.
(Of course, the regulators would respond that they'll just force people to locate in Texas to do business with Texans. Then you could arrest Texans who illicitly use out-of-state services. Tell me when this starts sounding like a good idea. )
Re:oh, users pay (Score:1)
HTH. HAND.
--
Repton.
Re:guess this makes *nix look better (Score:1)
Re:nerds & cars? (Score:1)
You hit the nail on the head there. Exactly why I do mine own car work.
Re:Wrong, wrong, wrong. (Score:1)
Don't have the savvy to do that? Well, go to your friend bob- who has installed staroffice- and do it.
I would love to be able to access my info from 'a centralized location'. Unlike hotmail, with Sun, that 'centralized location' can be my home computer.
The same goes for email and almost any of the other free services out there. you can always pick your provider.
~mindlace
Re:"Hotpopper", (Ad free auto hotmail checker (Score:1)
Re:you get what you pay for.. sometimes. (Score:1)
Re:nerds & cars? (Score:1)
This may be a true statement; we don't want to require people to become mechanics to drive cars. But we do want them to become motorists and to learn how to drive, pass a test on their knowledge of the rules of the road and demonstrate an ability to control the vehicle.
We certainly don't expect anyone who can barely find the ignition switch after a lengthy search, and only figures out which way to turn it on their second attempt, to run their computer without experiencing the exhileration of disaster on a frequent basis.
Re:How the hell did this end up here? (Score:1)
I was wondering about that. Surely to be practical encryption would have to be completely transparent for HotMail use. If a CGI hole lets you into someone's account *as them*, the automatic decryption would continue to work just fine -- wouldn't it?
Jim
Re:Wha? (Score:1)
Ummm....since the application is *running* off the server, your data will almost certainly be pushed back and forth between server and client. Therefore, its not quite as simple as saving locally or on the server (as you make it out to be). This means the server may peruse your documents for "keywords" and store a list on the server....and how would you ever find out about it?
no, too many security implications here.
Ajit
This changes.....nothing (Score:1)
the Internet's self-regulation doesn't work anymore because it relies on the assumption of more or less equal participants. This is clearly no longer the case
Hel-_lo_; this wasn't the Turning Point Of The Internet. It was just a crack, many of which happen daily. The author is so naive.
You are thinking of hotmole (Score:1)
Network Computing (Score:1)
Its not about taking anything away from the users, its ALL about giving control back to the admin and management, after all their paying the bills.
The simple fact that with NC you never have to replace another HD, or GHOST a machine back to a working state.
If you need to upgrade your client software, you update the one and only version on the server and never have to touch each workstation.
People say "Well what if the server crashes?"... My simple answer to that is... What happens if the server crashes with PC's on the desktop? Do your users keep working? Do you really want them to?
If your users are storing company data on their local HDD's you have a whole host of other issues. Even in the PC world, if the server crashes, Users need to stop working. And quite simply, A properly tended Linux (yea)
Enough rambling
Viva Xterminals!
-Matt (mhoskins)
----------------------------------------------
Matt on IRC, Nick: Tuttle
Privacy and freedom (Score:1)
Making Educated Decisions (Score:1)
The average Internet user does not have the technical skills to evaluate things like the risk involved with various patterns of usage. Would you keep your daily schedule online, on some company's server? Many people do. There are other companies working on Internet-based storage. You store your files on their computer and then you don't have to worry about things like backups and disk space. They'll take care of that for you.
For people who don't understand the difference between disk capacity and RAM capacity, or between a local drive and a network drive, how can they be expected to understand all the ramifications of a scheme like this? The car analogy *is* a good analogy: we don't have to know how the motor works because there are a lot of laws and precedents that protect us from poorly-designed motors. (And I think the percentage of people who *can't* change a blown tire is surprisingly high.)
The average Slashdot reader is undoubtedly an order of magnitude more sophisticated about computers and the Net than the average Net user. (Don't congratulate yourself; it has nothing to do with intelligence and everything to do with what's important to you. Someone is not stupid just because the difference between RAM and a hard drive is not important to them.) It's easy to forget that the world is generally set up for them and not for "us". And it should be.
Re:Wrong, wrong, wrong. (Score:1)
Good points, but I have one criticism:
20-year old dumb terminals that were hard to use.
OK, first off, I know that you're really referring to the programs which were running on the host to which those terminals were attached, not to the terminals themselves.
With that out of the way, I'd like to say that in my opinion, a good ASCII terminal program can be simpler and more efficient than an equivalent GUI program.
Have you ever tried to tell a clueless end user how to do something in Windows? It's tremendously complex, and pretty much impossible if you're on the other end of a voice-only phone connection. There are just so many variables in the GUI world, and so many points of failure or confusion, that it's insanity.
On the other hand, with an ASCII terminal, assuming the software is any good, things become extremely easy. You can give clear, concise directions to the user; and users can actually write down procedure documents to tell each other how to do things.
And then there's that hideous Windows 95 Start button interface....
Weren't network apps discussed already? (Score:1)
Whole big discussion on the good and bad aspects of having your apps on a central server. From my point of view, the general concensus was that this is just a way for the corporations to make more money and to get more control over the averate user than they could get with normal apps.
And i still want to know what happens when the central server dies, or some construction people accidentally cut the 'net (phone, T1, whatever) lines, or the net is just really really slow with all these remote-running GUI apps, etc. No one can get any work done, because no software is local...
-----
Security != Micros~1 (Score:1)
I remember my Dad used to be really paranoid about cookies, but this is worse, because even sites that eschew storing passwords, etc. in cookies can still be subject to the dangers of auto complete.
Of course, this will not earn any big headlines because it is a "feature" of IE. Oh well...
PC E-mail crack! (Score:1)
http://www.mollymail.com [mollymail.com]
Combine this with the auto complete feature I reference above... and how secure is any E-mail accessed through IE? Also, I've used hotmail to access my school E-mail accounts (I've been with them since before they were assimilated by Micros~1) because I know my school accounts can disappear at any time anyway (that's how it is at my school) so I'm not concerned about their security.
Epiphany (Score:1)
I can now characterize the primary difference between Linux zealots and BSD zealots in one simple phrase:
Think about it: this simple difference in viewpoint encompasses the differences between the developer communities, the user communities, and even the hallmark licenses of both camps: the GPL which vests ownership of the code in ``the community'' vs. the BSD license vests ownership of the code with anyone who wants to use it.
It is hard to say which will prove to have the longest lasting effect on the world at this point. I have a pretty jaded viewpoint on how much John Q. Public wants to be saved from the evil that lurks within his phone, television, or internet connection, so long as he can figure out how to use it by watching a video that is not more than 1 commercial break long.
As for my house, we will stick with the nerds. I'm too busy to save the world. Even from themselves.
decentralization makes things worse (Score:2)
Central, server-based applications remove a lot of chores and cares from users. That's no different from other centralized utilities: people used to generate their own power and water, but today, most people rely on utilities. Those utilities generally do pretty well and provide reliable service. Occasionally, they do something dumb, or they just have bad luck, and a lot of people end up having service outages, but from the point of view of each individual, the service is usually still very reliable.
From the point of view of security, a diversity of professionally run computer services both beats a Windows/PC monoculture and a single huge server.
As for Hotmail--what do you expect? It's a free service, so why should they assume any liabilities? If you want a company that stands behind their security, you probably have to pay for the service. And you have to do a little bit of shopping to identify companies and vendors that actually care and know something about security.
Re:Biased argument... (Score:2)
I'm just genuinely glad I never worked for external customer support, so users had to at least be able to find their ass with a map and compass in order to work there. Still, I've asked people what kind of computer they're running, and they say "NEC Multisync" (pronouncing NEC "neck" of course).
Re:you get what you pay for.. sometimes. (Score:1)
Re:Access From ANYWHERE (Score:1)
Some cybercafes and kiosks make this a pain in the butt. Compared to running ssh java applets, Hotmail is just as secure (regarding snooping... ie. you still have to trust your home ISP admins if you're opening a SSH), arguably more stable, and a heck of a lot easier to setup.
I was with Hotmail before Microsoft bought them. Do you know what I do with the account? It's what I put into all those boxes out on the Internet which read "Enter your email address here: (Mandatory)". It's my big spamcatcher, I open it up once a week or so, and wipe out oodles of junk-email... with the odd interesting post from some company which I'm actually interested in.
I do have some personal email archived in that account... but it's nothing I wouldn't want the world to see. All very boring and normal. If anybody asks me about hotmail now though, I point them to other HTML mail providers, and I do tell them why... because Microsoft is too powerful.
Re:you get what you pay for.. sometimes. (Score:1)
Compare that to most "freeware" (beer/speech/sex) licenses that say something like "this software is distributed without warrantee or guarantee of any kind".
I would say that the biggest mistake made by HOtmail was claiming that they were secure and private for so long.
Murphy's Law.... (Score:1)
(Because yes, you can want things to go wrong....sometimes...)
Re:Wha? (Score:2)
> have possibly purchased Star Division to make StarOffice work better with these products, could they?
They might have - but not according to Sun: see the press release at http://www.sun.com/smi/Press/sunflash/9908/sunfla
--
Cheers
Jon
Re:Wha? (Score:1)
> have possibly purchased Star Division to make StarOffice work better with these products, could they?
They might have - but not according to Sun: see the press release on Sun's [sun.com] web site. Do you want to get in a scrap with Scott MacNealy about his company's direction?
Re:Access From ANYWHERE (Score:1)
Um, yeah, or you could just get a proper pop/imap box from somewhere other than your school and learn how to access it from another computer. It's not hard.
Until you find yourself behind a firewall that only lets HTTP through. And you will, sooner or later.
(I haven't "signed up" for a Yahoo mailbox yet, but it's getting to the point where I might have to do that. Those of you who are still in school, or who work for an ISP, etc., might not be aware of how completely fucked-up broken many corporate computing environments are. At this one, for example, I can send mail from Microsoft Outlook to any domain outside the firewall, but I can't send mail to a Unix machine inside the firewall. And I can't run a POP-3 or IMAP client inside the firewall to connect to a server outside the firewall, because the firewall only lets HTTP (and FTP, sometimes) through. And the HTTP is censored -- some domains are blocked....)
What the people want. (Score:1)
Hotmail is not the the only kid in town. It seems everyone is offering free email theses days. So why do so many people use hotmail. Hotmail was one of the first web based email systems and had the largest user base. Thats why microsoft bought them. They saw it as a way to flash the microsoft name in front on more people. So now everytime the average joe gets on the internet, he fires up internet explorer(not netscape that would take a bais aginst ms since he already has a perfectly good web browser preinstalled) and sees FREE EMAIL on his default home page. The Hotmail user base grows exponitaily from all of this new advertising. And all ms did was advertise on their own site.
But WHY do people uses it? Their ISP gave them an email account, which is arguably better. I started to say that it gives people a feeling of anonminity(sp) but most people use their real names and have probably never though about encrypting their email.
Which brings me to my point. People, meaning the masses in general, want a centralization of services. MS and Sun know this and want to offer those services. "Aunt Suzie uses Hotmail so logicaly if I do too things might work better." Now, that much thought probably never go's into it but you get my point. People use hotmail of their "own free will". It's just Microsoft is getting very good at manipulataing that "own free will."
sorry, It's too early to put very much thought into someting like this.
Re: (Score:1)
application servers (Score:1)
oh, users pay (Score:1)
Ironically, MS probably perceive their reaction to this as strengthening that last point. With many people, they may be right. The message seems to be "shut up and take it, we own you." It's a lie, but I recall a certain other large organization based on the idea that if you shout a lie long enough and loud enough, people will start to believe it.
And the Nazis weren't even incorporated.
phil :)
Kinda please with himself for worming the Nazi comparison in...
Re:Wha? (Score:1)
Assumptions: Home (l)user, using windows, 56k modem (probably a "win"-modem) dialup internet access, doing taxes, versus some yet-to-be-implemented network computer setup that involves a minimal OS, connected to an 'application server' through something like a X session, or something.
In order to get to your home windows (l)user, you've gotta get to them while they're connected, which could be for a day, or could be for 10 minutes, while they check their e-mail. And then, you have to hope that they haven't put that data on a zip disk, or a floppy, or something like that. And I know plenty of windows (l)users who save *everything* to floppy disks because they're "afraid of a hard drive crash that could wipe out everything". (keep in mind, here, that we're talking about the joe average home user, not the /. crowd. :))
If this (l)user was using some sort of NC service, all one would have to do is crack the security on that service. Then you would have access to this (l)user's data, as well as everyone else's in one convenient package, unlike having to go from machine to machine to machine to pick up several users' data.
This is not to dismiss the importance of the bug (or, wait, don't they call that a "feature"?) in either system. And it's kind of borderline 'security through obscurity'. But, overall, I think that I would feel more secure knowing that my data is stored right here where I can keep an eye on it, over having my data stored on some server located God knows where, that is constantly being hammered by attackers trying to get to this virtual gold mine of data. (maybe what I'm getting at is that my local PC isn't as attractive of a target as some NC server that has a few thousand people's data on it?)
Just my thoughts...
blah (Score:1)
but people get real.....
Before hotmail was bought out by M$ there was a CGI error that allowed anyone to access every account.. *ooh* i haCkEd hotmail. yay lots of e-mail and if I'm actually bored enough to read all of this I may get some info out of it.... bah.... the only information I ever found was the dirt on a few girls I was interested in
If hotmail or anything similar gets hacked/cracked again, the problem will be fixed in a heartbeat, just as this recent exploit was fixed. no big worry. the end.
It matters not who, but how fast.. (Score:2)
Does anyone remember who cracked 32-bit RSA encoding the first time? I don't, but I'll bet some of you do remember that it took the combined resources of the Internet something like 9 months to crack one simple text blurb with 32-bit encryption. That's why it's effective, and the larger the encryption, the more effective it becomes.
By comparison, how long did Hotmail even exist before they rolled out this "feature", what, two years tops? Furthermore, how long after they rolled out the unsecure "feature" did it get jacked? Not long at all. Are people going to ditch Hotmail? Hell, yes. Why? Because they can't trust it.
What I'm getting at is that tracing the person who found this hole (I can't even call it a crack with a straight face) is less productive to the community at large than is 1) fixing the problem and/or 2) not letting it happen in the first place. If you're running a mail service, for God's sake, leaving a hole in it like that is inexcusable.
Free is a very good price, as they're fond of saying here in Portland, but it's probably not a good price for mail services.
Wha? (Score:2)
Okaaaay... Perhaps I'm missing something here, but just exactly why did this make Slashdot's "news-worthy" cut?
Maybe the link's wrong, or it's written in a languagy syntactically identical to English where all the words have different menaing, or something because all it looked like to me was a lamer suit-type whining about his latest conspiracy theory.
Case in point: Our friend the author here seems to think that since HotMail (TM and (R) as necessary) is an Internet-based service, it is inherently less secure than PC-based email. Okay, here's a question. Before I click that "Check for new mail" widget, where is my mail? OH MY GOSH! It's out there on that scary Internet! ARRRGH!
Okay, that sort-of nullifies his whole argument. Email is spooled on networked machines anyway, not sent directly from workstation to workstation. He fails to realize that all email has the same potential risk, and the first line-of-defense has much to do w/ quality of server software, and network security. These things can be fixed to a large extent.
Also, our friend the authordroid seems to be mistaking storing applications on a remote sever with storing data on a remote server. Is there really any problem with accessing an application via network that updates itself automagically and lets you save your data either on the server or locally?
Perhaps, though... the application is really being controlled by pinkos hiding out at Sun who are reading your steamy letters to your girlfriend! Please! Enough with the conspiracy theories! Sun makes workstations (You know, like PCs, only bigger) and operating systems, too. Sun couldn't have possibly purchased Star Division to make StarOffice work better with these products, could they?
No, one shouldn't have to be an auto-technician to drive a car, but you should at least know enough so that you're not completely stranded when your tire blows out, or know who goes first at a four-way stop. Does anyone know how we got to live in a society where people pride themselves on not having to know things?
By the way, Mr. Stalder, that's HotMail Crack.
From a Sun Microsystems bug report (#4102680):
Another Microsoft Innovation (Score:1)
Re:Biased argument... (Score:2)
Re:you get what you pay for.. sometimes. (Score:1)
There are NEVER guarantees. (Score:1)
Re:Not self-regulation; market regulation (Score:1)
Wrong! (Score:2)
This BS about the dis-empowerment of the user is starting to become tiresome.
He's right, PCs DID empower the user. Anyone can buy a PC and be as empowered as they'd like. Install any OS you want. Write all your own applications too if you want!
The 'average' user has been empowered past his capacity. He has the tools to do anything with a computer that Microsoft or Sun can do. He doesn't have the ability and since he's a single person, he doesn't have the time.
So companies full of smart people get together and pool their collective resources and they create services like Hotmail & Star Office Portal.
Does this dis-empower the user? No. These services are optional and free. The user can try to make his own mail & office suite.
Does this empower the user? Yes. You can do more with these services than you can without them. They cost nothing and they're optional.
Did the phone company disempower people? How about electricity and running water? How about oil companies? After all, before these companies, a person could get water from a well or pump their own oil and refine it themselves to power their own generator to make their own electricity. Now THAT's autonomy!
Here's a suggestion: stop keeping score of who's powerful and who's weak and go get something done! Star Division and Hotmail created good products that have helped a lot of people. What have YOU created that's helped a lot of people?
Re:oh, users pay (Score:1)
the net "for everyone else" (Score:2)
Another way is to create mechanism of accountability, which replace fancy worded "commitments" with "binding obligations" so that screwing up really hurts. Like in most other areas of life.
I suspect that the truth of the internet service future is summed up rather well here. The more folks use these services, the more pressure there will be for providers of these services to be accountable. Admittedly, policing the net seems intractible. On the other hand, that doesn't mean some bright cookie won't figure out a decent way to deal with it.
For instance, what if Texas decided that it would make net service providers accountable for the stability and security of the services they provide? Maybe they would let anybody sue a Texas provider that didn't meet that provider's claims of stability and security in the hopes that companies would flock to Texas with the idea that net-users would consider Texan providers more accountable, hence generating more business localy?
IANAL, but such things seem at least possible. Or maybe there is a completely different idea out there floating around that would produce the same result.
I suspect that in a world which allows idiots to sue McDonald's because the coffee they ordered was actually hot will eventualy devolve into a world in which Joe Average can sue Provider-X for losing his index.html and not having a backup on the server.
I don't like it, but that seems to be the way things are going.
Re:you get what you pay for.. sometimes. (Score:1)
-brandon
fat client vs. centralized server (Score:2)
HTML Based E-mail access... Should I worry? (Score:1)
Nipok Nek
Re:Wha? (Score:1)
Re:guess this makes *nix look better (Score:1)
--
Cheers
Jon
Re:Wha? (Score:1)
Email is spooled on networked machines anyway, not sent directly from workstation to workstation. He fails to realize that all email has the same potential risk, and the first line-of-defense has much to do w/ quality of server software, and network security. These things can be fixed to a large extent.
Actually, the first line of defense should be part of the e-mail *client*, not the server. It's the last paragraph of this article that indirectly points this out--the paragraph that says "Free, easy to use, public domain cryptographic tools are a necessity."
Crypto is your only real privacy protection. It's ridiculous that it's not readily available for everyone--it's not as if the technology isn't there. No, this won't stop DOS attacks and such, but it will guard your e-mail from prying eyes.
By the way, you may actually have better privacy on Hotmail than on your ISP. I've talked to former ISP employees that admit to printing out their users' "juicy" e-mails and passing them around the office each morning for fun. Besides that, cool software like Ethereal [zing.org] makes e-mail passing through your network segment on it's way to the server quite easy to read if it's unencrypted.
If you expect anyone other than yourself to protect the privacy of your e-mail, then you are kidding yourself.
numb@g27.org [g27.org]
Re:you get what you pay for.. sometimes. (Score:1)
I FOUND THEM! (Score:1)
Suing McDonalds for hot coffee (Score:1)
It's funny how those little "technical details" can make the difference to a story ...
I used to think that suing McD's for hot coffee was stupid too, until I learned some more details about that case. IIRC, the temperature of the coffeee was 170degF, about 50degF higher than food service "industry standard." This is hot enough to cause third degree burns. The lady who sued McD's originally approached McD's to see if they would cover her hospital costs for those third-degree burns that the spilled coffee caused her. When they told her "get lost, that's not our problem," she then got a lawyer ...
It was uncovered, as part of the fact-finding for the case, that McD's in general, and that particular restaurant, had received numerous, documented complaints about the temperature of the coffee being high enough to cause burns. Yet McD's had chosen to ignore the problem. It was this pattern of negligent behavior that lead the jury to award punitive damages as well.
McDonald's never admitted fault or responsibility, but for some mysterious reason, they soon after changed the settings on their coffee heaters down closer to 125degF, not hot enough to burn.
I'm not sure it's possible for an ISP to be this recklessly negligent concerning human health -- it's awfully tough to hurt anyone with bits and bandwidth. While there are stupid lawsuits and greedy lawyers out there, there are also stupid, greedy, negligent companies out there who won't do the right thing unless a judge makes them do it.
"Morality cannot be legislated, but behavior can be regulated. Judicial decrees may not change the heart, but they can restrain the heartless."
-- Dr. Martin Luther King, Jr.
Re:It matters not who, but how fast.. (Score:1)
it took the combined resources of the Internet something like 9 months to crack one simple text blurb with 32-bit encryption.
I believe you're referring to a 56-bit RC5 key. You can check the distributed.net [distributed.net] archives to find the details.
What really annoys me... (Score:1)
Hotmail being cracked is not the end of Web-based mail. It's just a sign that M$ isn't doing its homework when it comes to security, and that people should withdraw their support for companies that do not provide secure storage and operation, if it's an important concern of theirs.
It certainly is one of mine, and all it means is that I use encrypted Webmail for less significant yet private issues, and PGP when I want real privacy. And it's why I do not have nor ever had a M$-owned Hotmail account.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
Wrong, wrong, wrong. (Score:4)
You're not rebuking the idea of centralised computing, you're playing on people's prejudices against 20-year old dumb terminals that were hard to use.
In huge centralized system the effects of such attacks are greatly magnified because one single line of code can suddenly open millions of mailboxes.
And one line of bad code can't be much more of a risk on millions of PCs running the same (browser, e-mail, etc)? At least on a centralised server, it can be fixed for good, by qualified people.
You invariably end up with no rights what so ever, and you are likely not even to know it because you would have to be a computer scientist and a lawyer at the same time.
What exactly does this have to do with the matter at hand? How will putting a PC that needs to be configured, maintained and supported on every desktop help here?
Centrally managed computing (like Sun may offer) is a good answer for companies that need to manage hundreds or thousands of desktops for clueless users in a sane manner. Noone is shoving anything down your throat. Yes, believe it or not, the big, nasty corporations aren't, in this case, trying to rob you blind, curtail your precious rights, or anything else. They just don't care.
The key different between HotMail and StarOffice (as a service) is that StarOffice will run INSIDE the company, and therefore be the responsibility of "friendlies", NOT an external service provider.
Of course, they'll probably make it a net-available services as well, but so what? Big corporations *gasp* are still responsible for writing a lot of the software out there.
I don't know exactly what the author is trying to do here; it seems like they've strung together a list of 'hot-button' issues to make some kind of statement, one that we've heard many times before. It doesn't add anything really useful.
Re:Wha? (Score:2)
I kind of feel that this comes back to the old addage, "Don't put all of your eggs in one basket." While there is nothing evil about centralizing information, the consequences of a single crack are far greater... while the danger is still the same...
From a users standpoint, when you put your money in a bank, you kind of expected to be there when you need to withdraw it... the bank should not be loosing your money all over the place...or have your money stolen by Kro0kS... you don't really need to know how the FDIC (I think) insures the funds... you just expect your money to be safe. I don't know if any of us (well, most of us?) really understand the safe guards on our bank accounts, nor on the global ATM network...
Ideally, a system, such as Hotmail [hotmail.com] should be secure. Granted, total security is never possible, but it should at least be reasonably secure...
In short, distributed computing poses the same series of dangers as a centralized network, but generally the reprocussions of a crack are not nearly as bad on a distributed network...
Don Armstrong -".naidnE elttiL etah I"
Re:Wha? (Score:3)
Well you just said it -- *new mail*. Sure your e-mail passes thru the internet, but it spends very little of its time there. Most of my e-mail has been safely in its folders on my system for months, and only on the internet for hours.
The other issue is concentration of resources. Sure its cheaper and easier to keep 40 million people's e-mail (the entire history for many, not just their recent e-mail) on one set of large servers. But that same concentration means one single flaw in security can expose that entire quantity of e-mail (as was just demonstrated.) When e-mail is stored locally on end-user's machines the risk is distributed, and each person can be more responsible for their own safety.
"Also, our friend the authordroid seems to be mistaking storing applications on a remote sever with storing data on a remote server. Is there really any problem with accessing an application via network that updates itself automagically and lets you save your data either on the server or locally?"
You know, I think thats an excellent idea for web apps like StarOffice and HotMail, keep the files locally, the applications centrally. But I get the impression it wasn't an option for HotMail. It won't be an option for those on WebTV either (like we care -- I know.)
I have nothing against Sun's plan to market web applications, they have a lot to recommend them in ease, price, and convenience. We have to be realistic about the flaws too though, or we're going to see too many more incidents like the recent HotMail crack.
Jim
No disempowerment for the technically aware (Score:2)