Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
The Internet

The Significance of the Hotmail Crack 185

Posted by CmdrTaco from the stuff-to-read dept.
Slothrup writes "Telepolis has an interesting piece linking the problems at Hotmail with the Sun purchase of Star Division. An excerpt: 'What this the Hotmail hack shows is that the Internet's self-regulation doesn't work anymore because it relies on the assumption of more or less equal participants. This is clearly no longer the case.' " Interesting piece. Definitely worth a read.
This discussion has been archived. No new comments can be posted.

The Significance of the Hotmail Crack More

The Significance of the Hotmail Crack

Comments Filter:
  • ...when you can walk in the virtual front door?
  • It does not really matter. The fact that you do not pay does not mean that the service quality should have no guarantee. For example X sets up a free internet service. Some of the revenue from advertisements is reinvested in service guarantees. It is a question of overall policy. M$ is not the imaginary X in the lines above. Read their licence agreement on "payed" services and see for yourself. There is no guarantee whatsoever even if you pay. In other words it is a question of "who offers the service".
  • A bug is an undocumented feature.
    Similarly,
    A feature is an undocumented bug.
  • Yesterday in the Ottawa Citizen newspaper
    See it here [syndicam.com]
    ---
  • Hotmail is an ideal service! It allows me to send guaranteed spam (you must enter your e-mail to use our service, and we promise to sell it to other people!) So, I enter my hotmail account in the rare case that I have to click on some URL to get into said service from the mail, etc.

    Also, it keeps other people from grabbing my nickname and masquerading as me from a hotmail account...
  • I agree, that one line bothered me, too.
    The thing that gets me is, ma and pa computer user routinely f*ck up their machine, refuse to pay for needed upgrades, and call their ISP to help them install a game for their kids. I have been fielding tech support calls (in addition to my other duties) for about a year, and it burns my buns! These people don't know and they don't want to learn. "I'm computer illiterate." Well then turn the damn thing off and donate it to a school or something!
    Whew. Sorry for that, it's been a hellofa week. :)

    The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk

  • One the one hand, you have people like me who use Hotmail as a spam catcher. (I do actually skim for actual messages to me once a week or so, in case someone's trying to reach me through it.) If someone got into my account to read all my spam, I couldn't really care less.

    On the other hand, for those that actually use it as a major provider for their email, they've got to weigh the possibility of a breach happening to Hotmail in the future (and not happening to the other web email services) against the hassle of getting all their acquaintances to use their new email address. As someone who still gets email from an account I closed over two years ago (it still gets forwarded to me thanks to an understanding ISP), I can testify that it's a pain. You also have to consider that those people who do use web email as a major provider are rarely the type to come into contact with hacker types -- they're more the ma and pa type of user -- and were very unlikely to be targeted.

    Cheers,
    ZicoKnows@hotmail.com

  • Like any product or service, the informed consumer doesn't get ripped off. If you had stayed abreast of the news you heard about the hotmail crack and now have your e-mail at yahoo.

    And like with any product or service, there will be a portion of the population that won't care that they're getting ripped off.

    If security was a concern, storing mail at hotmail is an obvious no-no, even for a novice user (who chances-are not have much concern for security).

    What is important is that the average user hear about such poor service, and switch.

  • We shouldn't be forced to become nerds just to use computers, as much as we do not have to become mechanics to drive cars. Interesting, however what if you've become both? I work on my computer(s) and work on my car(s). Probably not atypical but if you like that sort of thing... The only problem I have is that after working on the car my hands are in no condition to work on the computer.

  • Re:Sun is living in the past and MS is -- well -- (Score:3)

    by cyanoacrylate ( 47864 ) on Thursday September 02, 1999 @08:06PM (#1707889)
    Sun is a HARDWARE and SUPPORT company. True, they sell Solaris, at a loss. True, they sell lots of products under the Solstice banner, but usually they're just 3rd party products with Sun's Stamp of Approval. Java is merely a part of the strategy to continue to sell big servers - Java applets (whats' that? StarPortal did you say???) need to be served, and, in the size and scope that Sun is thinking in, (40 million users? (there's a convenient number...)) by the very servers they produce.

    Honestly... Weather the software is open source or not won't matter to Sun. Its just that RIGHT NOW the available commercial software is better for the markets they look at (Koffice will be _great_ but its not there yet, and its not written in Java)

    And the server-centric model is the right one... At least from a management perspective.

    --
    We are Microsoft. You will be assimilated. Resistance is Futile.
  • have fun! it's impossible to have your hotmail account removed :-) The only way to get rid of it is to have it time out, but then how would you stop people mailing it? The moment you go back to read the mail you have another 6 months to wait. One word - "microsoft". Anyone thought of writing a "hotpopper" program so we can download mail from hotmail without having to read the stupid adverts?

  • I'll keep my data on my own box, and not use a thin client to upload everything to their servers, thank you very much. Bugs wouldn't be my biggest worry -- it's the idea that my data could be held hostage by some sysadmin honked off because I nailed his wife or riled up about some joke I made about Scott McNealy's gigantic fucking teeth. Forget that mess.

    Cheers,
    ZicoKnows@hotmail.com

  • While I agree with your point I think you have missed the trend to integrate Hotmail into MS Outlook this would discourage new users to explore alternatives much as the packaging of Explorer has with Windows.
    However the most probable reason that Hotmail is so popular is that it isn't a bad service. A lot of the webmail alternatives are probably no more secure or reliable.

  • nearly any system is likely to be able to be compromised. with this in mind would the only answer be to not trust any system and always use encryption and backup data in more than 1 place. i dont think the main problem with hotmail is its security but its potential lack of privacy which could come about in more forms than simply someone breaking into your email account.
  • A hotmail programmer inadevertently commented out a line of code, that handled password authentication. Anyone could log in with any password. But nobody noticed because the login script was an OLD login script, that was (for some stupid reason) left on a production server.
  • the article never mentions that as a hotmail user.. you never pay for support or even service. If you want greater control over your mail.. there is plenty of competition.. local ISPs.. large national and worldwide too. The key is that you have to pay something for it. Open source isn't the answer to everything. As far as I am concerned the only thing it has proved to do is breed innovation and stable, relatively bug-free applications. It doesn't however come with any guarantees.
  • Dude, your HotMail account says it ALL.

    And I didn't say thin-clients were right for EVERYONE...

    But for the a-technical masses, they're idea.

    --
    We are Microsoft. You will be Assimilated. Resistance is Futile.
  • After months of getting worse and worse, it's finally hit rock-bottom. Adding Microsoft to a situation seems to do that for a lot of things...
  • The author misses the point in that we're not talking about self-regulation; Microsoft instead faces market regulation. MS has competitors in the freemail business, and will lose customers from Hotmail because of its security issues.

    If MS had a natural monopoly in freemail (like if Hotmail had a patent on the concept), I'd agree that self-regulation is insufficient. But in this case, the loss of customers and ad revenue for Hotmail, not to mention loss of MS credibility, will hurt them more than a few lawsuits from disgruntled parties.
  • Rough translation of Expressen article [expressen.se] ...

    Hotmail Scandal - Sexbuyer identity revealed?

    Someone has hacked an email account that belongs to two young prostitute girls and sent out their correspondance on Internet. There is revealed the name and telephone number of many of their clients. "I want only to know if they were prostitutes for real", says a medium director whose name appears on the correspondence.

    On Monday the Express revealed that anyone could read other's email at Microsoft's email without entering a password. After that the Microsoft staff took the whole ten hours to fix the problem before it could work safely again. During this time, someone accessed the email account of two prostitute girls, then posted the messages on an anonymous homepage on an american server where who that everyone could read them.

    Intimate details
    On the homepage is revealed many intimate details about those who wrote the messages. "I am a pleasant and kind person, married, who needs more then what I get at home", writes a man whose name and telephone number appears on the homepage. Many of the persons who wrote to the girls explained that they are businessman who sometimes seek escorts in Stockholm and want to have contacts. The person behind the homepage request readers write email and call the men. A director in a well known medium company appears on homepage. He has written email to the girls and wrote "I am seriously interested in french lessons with you on a continuing basis. Can you tell more about your lessons, it would be nice if you also could attach a picture with the course plan". When the Express contacted him he knew already that his name and phone number was on the webpage "It is horrible and I understand that it is easy to ruin one's reputation" he said. He maintains that he did not buy sexual services and he only was curious to find out if they really were prostitutes.

    • Anonymous homepage

    • The homepage where the names appearede is on an american webserver there who everyone can log on tanonymously for free. Therefore it is impossible to find out who is behind the page with the sensitive information. "What has happened with Hotmail is regrettable, but it is a whole other thing to take someone else's information and publish it on a website", says Lars Backhans, Microsoft's highest official for Hotmail in the Nordic Countries. "This here is abominable"
      ---
  • No, what this shows is that Microsoft continues to not care about security. Having your data on a profesesionally managed and backed up machine, that you pay for (so they feel some real enforceable obligation to you) is probably a good thing. Just don't trust MS to do it.

  • "Okay. Sure, it's easier and cheaper to store everybody's money in a few large organisations, let's call them
    banks, but that same concentration, while it may mean that one single security flaw can expose all that
    money to theft, I wouldn't want to suggest that we all therefore stuff our mattresses with banknotes and
    sleep with a pistol under our pillows."


    There are people who've been burned and lost enough to banks that this is not joke, not sarcasm, and take this comment seriously.
  • I thought taxes were to find marijuana smokers and lock them up, while idly letting the roads become
    part of the "crumbling infrastructure" so that more taxes can be raised.
  • You are right, mail is inherently insecure, unless encrypted with good cryptographic software, or unless you can trust every machine SMTP IP packets go through.

    But it is not mail author concerned with. What happens when Sun would release StarPortal? Your spreadsheets (say financial info) and word-processing documents would be stored on the network servers and they would be vulnerable to the same attack as Hotmail.

    If hotmail crack didn't exist and this document wasn't written, Microsoft should invent both theirselves (or did they?), just to show people that Sun offering (which is cheaper and more featureful) is wrong way to go, and user should still pay MS and hardware manufacters for more bloated software and more heavy notebooks to carry personal data around.

  • >like if Hotmail had a patent on the concept

    Jesus, don't go giving them ideas!

  • Hear hear!

    I've only bothered reading the line in the extract about the hack disproving self-regulation, and as far as I'm concerned, it goes to prove the point: we're not ALL braindead morons, and we shouldn't have to pander to those who are.
    (The rest of the article is going to remain unread in the light of that extract alone.)

    Agree entirely about risk assessment, etc...

    Anyone got an uzi for these journalists? :)

    ~Tim
    --
  • okay so this person has access to 40 million accounts or whatever..


    Not one person, all people. It took me about 2 minutes from I heard about the hack till I had the URL that let me get into anybody's email. That "Hotmail was hacked" is just a not correct, that "a method was uncovered that let anyone get into any user account at Hotmail" is a more precise description. Get the facts straight.


    I could for example have used this opportunity to log onto admin@hotmail.com (yes, it was also open), sendt a mail requesting some personal information from the users, and I could have waited there about 13 hours to collect the answers because MS didn't shut the server down and gotten home, free, and away with loads of information I should not have had. And that is just one thing you could have done, there is plenty of others.


    "The future is already here, it's just not evenly distributed yet."
    - William Gibson

    "The future is already here,
    it's just not evenly distributed yet"


  • " phil
    Kinda please with himself for worming the Nazi comparison in... :) "

    Except that you killed the thread by godwin's law.
    Why haven't you been moderated down to -5 or so?
  • [0] read it again. I'm talking about service providers (as in Hotmail, E-bay, Amazon, etc), not ISPs

    It's pretty easy for someone to misunderstand you there, considering what ISP stands for.

  • This story lacks much merit.

    Self regulation does work, unless you as an individual do not let it work for you.

    There are so many companies out there offering the same exact service as hotmail.com that there is nothing preventing you from switching. Hell, I even got a ad for a free email account from American Express.

    This is what is so utterly stupid about some of these internet evaluations and mergers. For example geocities. What is it about geocities that makes them worth $5 trillion? Nothing, the technology and infrastructure can be put together for a few million in under a year.

    And has been shown over and over again, people do suddenly switch from using one web site to another, from one fad to another.

    The only thing keeping people at hotmail is their own stupidity. It has nothing to do with Microsoft being huge.

  • And one with which I partially agree.

    Free services .... especially when run
    by overly large companies like Micro$oft
    do not NEED to worry about the well being
    of their users.

    I mean, if M$ killed hotmail right now, what
    would happen? Or if they limited it JUST to the
    MSN users ... who pay for their usage I might
    add ....

    Some million or so users would be out of a cheap
    but effective free webbased email.

    And I'm sure Gates would just be shaking in his
    booties about that one .... not.

    .....

    Open Source has nothing to do with this issue
    as I see it .... it is more of the issue that M$
    did not 'come to the rescue' because they could
    AFFORD to wait ...

    Everyone is complaining that their security was
    comprimised. So. Did you leave hotmail for
    another provider?

    'nuff said.

  • More regulation is bad - If "e-mail sites like hotmail" were disallowed from disclaiming responsibility for their *free* service, then that aso means that if you wanted to offer a similar free service--- you'd be responsible if it screwed up. They're charging $0, the service is offered "as is, with no warranty", what's the problem?

    People shouldn't sign away their rights and then complain when they don't have them any more. Before you press "Agree", read what you're agreeing to, and only press "Agree" if you agree!

  • godwin's law?

    Please enlighten...
  • >If you use it for serious mail, you're an idiot. Which is of course what most of us have been saying for years, but seeing as no one listened until now, I do think all the noise is justified. The point of the discussion is suposed to be something along the lines of: "If Hotmail stinks and can't be used for serious work, will all other Internet applications stink as well?"

    -
    /. is like a steer's horns, a point here, a point there and a lot of bull in between.
  • I never used Hotmail because i didnt like the thought of Bill Gates running through my email (not like he could find the time though).

    People should use pop3 with pgp installed. Besides who likes to by owned by Microsoft anyway.

    When people subscribe to free email the service provider isnt obligated to do anything. He could sell your email address to some advertiser although he says he wont (who's gonna know anyway?).

    I belive free email services are a problem on the Internet and the source of many spam emails people receive.

    Think about it
  • I guess this makes having a Linux PPC system at home more attractive these days. We all know that windows is prone to cracking and this is just more proof that they know nothing at all about security. *nix on the other hand has been handline security a little better. Don't get me wrong, any system can be cracked, but it seems like a trend to crack Microsoft systems these days. we are always hearing about there security problmes, and they seem to have so many. The wolrd is just not ready for network pc's. Maybe in a LAN yes, but not in a home, where everythign is on the server. Hell I am debating weather or not to write my own encryption program, and then send the keys to people I want to decrypt the mail.
  • My flatmate started talking about this hotmail crack last night. Obviously I corrected him pointing out that it was merely a huge hole, no real cracking involved. Someone else in the room immediately started on about how she was going to get a hotmail accout soon and how exectly do you go about doing that?

    WHAT?

    Were you not listening to what we were talking about? Hotmail sucks, it's got a crap HTML interface that's slow and full of adverts and it's not secure and full of spam. What on earth would you want a Hotmail account for?

    You get to choose your own username and you can access from anywhere, not just from college. It would have been useful when I was in America last month.

    Um, yeah, or you could just get a proper pop/imap box from somewhere other than your school and learn how to access it from another computer. It's not hard.

    Didn't work of course. She's still planning to get a hotmail account. Nothing I could say would convince her otherwise coz all her friends are using hotmail and they all think it's great coz you can access from ANYWHERE.

    Bah. I'd sooner telnet to a pop3 port than face the nasty Hotmail interface.

    Pre.......

  • movement is doing a lot in this direction. Cryptography is on top of the list. Free, easy to use, public domain cryptographic tools are a necessity. And with a few targeted public research grants they could become a reality rather sooner than later. An other

    The Gnu Privacy Guard [gnu.org] already provides freely available, easy to use public key cryptography. It's extremely simple to integrate it as a filter in eg. Pine or your favourite mailer. Version 1.0 is due out RSN, and 0.9.11 was released today.

    - Aidan

  • Here's a somewhat off-topic cnn blurb [cnn.com] about the slashdot response to the hotmail crack.

    It's quite a compliment when cnn gets it's news by reading slashdot. Tee-Hee!!
  • Such a clueless one, who thinks hotmail is the *only* free-web-mail service, will not understand "telnet" and "pop3". Recommend an alternative free mail site. I recommend linuxstart.com. Simpler, less cluttered. *And* it's not owned by Microsoft (or any other publically traded corporation) How about that!!
  • Same arguments apply the same way.

    Since the Internet is a no-boundaries system, you'd be dumb to locate in a regulated area when you can offer the identical service in a less-regulated (read lower-cost) area.

    (Of course, the regulators would respond that they'll just force people to locate in Texas to do business with Texans. Then you could arrest Texans who illicitly use out-of-state services. Tell me when this starts sounding like a good idea. )
  • Godwin's Law [tuxedo.org]

    HTH. HAND.

    --
    Repton.

  • and if they knew anything about security, they could configure FreeBSD to be secure, or they coudl be using OPNEBSD which has never been cracked supposedly, see the thread about OpenBSD a few days ago. Microsoft rtied the IIS/NT with Hotmail, and it coudl not scale to there demands. Thus *nix is better.
  • My reason for learning both is simply to avoid getting screwed every time one of them needs serviced.
    You hit the nail on the head there. Exactly why I do mine own car work. :) Of course, spending a day under the hood of the computer is much less messy than under the hood of the car. ;)
  • And the point is that StarOffice can be run by anyone. Want to have your office suite with your files anywhere? Install it on your home pc.

    Don't have the savvy to do that? Well, go to your friend bob- who has installed staroffice- and do it.

    I would love to be able to access my info from 'a centralized location'. Unlike hotmail, with Sun, that 'centralized location' can be my home computer.

    The same goes for email and almost any of the other free services out there. you can always pick your provider.

    ~mindlace

  • Are you border-line retarded? I ask this because it seems that you can't form a coherent thought.
  • Yes, you do pay for roads. That is what TAXES are for.
  • "We shouldn't be forced to become nerds just to use computers, as much as we do not have to become mechanics to drive cars."

    This may be a true statement; we don't want to require people to become mechanics to drive cars. But we do want them to become motorists and to learn how to drive, pass a test on their knowledge of the rules of the road and demonstrate an ability to control the vehicle.

    We certainly don't expect anyone who can barely find the ignition switch after a lengthy search, and only figures out which way to turn it on their second attempt, to run their computer without experiencing the exhileration of disaster on a frequent basis.
  • "Apart from stating that crypto is a solution, everything else is crap."

    I was wondering about that. Surely to be practical encryption would have to be completely transparent for HotMail use. If a CGI hole lets you into someone's account *as them*, the automatic decryption would continue to work just fine -- wouldn't it?

    Jim
  • Also, our friend the authordroid seems to be mistaking storing applications on a remote sever with storing data on a remote server. Is there really any problem with accessing an application via network that updates itself automagically and lets you save your data either on the server or locally?

    Ummm....since the application is *running* off the server, your data will almost certainly be pushed back and forth between server and client. Therefore, its not quite as simple as saving locally or on the server (as you make it out to be). This means the server may peruse your documents for "keywords" and store a list on the server....and how would you ever find out about it?

    no, too many security implications here.

    Ajit

  • the Internet's self-regulation doesn't work anymore because it relies on the assumption of more or less equal participants. This is clearly no longer the case

    Hel-_lo_; this wasn't the Turning Point Of The Internet. It was just a crack, many of which happen daily. The author is so naive.


  • There used to be a program called hotmole that did that very thing, but the webpage is gone now. I emailed Hugo Rabson, the developer of hotmole, and he told me that considering how often Microsoft changes hotmail's format, it was just too much to try to keep rewriting hotmole to fit every new change. It's too bad because it really came in handy, but then again I completely see his point, I'm sure Microsoft wouldn't blink twice before changing specs again just so hotmole or any program like it, would break.
  • Like most ppl, this guy completely misses the point about NCing. He seems to thing that NCing takes the "power" away from the user... But the power to do what? Work? I think not. Users mostly object to not being able to install thier own "screensavers" and "games" at work in an NC environ.
    Its not about taking anything away from the users, its ALL about giving control back to the admin and management, after all their paying the bills.
    The simple fact that with NC you never have to replace another HD, or GHOST a machine back to a working state.
    If you need to upgrade your client software, you update the one and only version on the server and never have to touch each workstation.

    People say "Well what if the server crashes?"... My simple answer to that is... What happens if the server crashes with PC's on the desktop? Do your users keep working? Do you really want them to?
    If your users are storing company data on their local HDD's you have a whole host of other issues. Even in the PC world, if the server crashes, Users need to stop working. And quite simply, A properly tended Linux (yea) /Solaris (ick) server will not crash.

    Enough rambling

    Viva Xterminals!

    -Matt (mhoskins)

    ----------------------------------------------
    bash# lynx http://www.slashdot.org >>/dev/geek
    Matt on IRC, Nick: Tuttle
  • I've been hearing the rants against centralized software for a while. quite frankly, I don't think it'll ever be all software. The Open Source economic model, if it is successful, will always be superior in both strength and agility to any closed, tightly-held system. The argument of centralized vs. non-centralized applications is really just an extension of the Open-Source vs. Closed-Source debate. Micros~1 (and others) already have stood behind a proposal to allow a software vendor the right to remotely disable any and all applications that the software company "owns" for pretty much any reason (http://209.207.224.40/articles/99/06/01/1642234.s html). Imagine how easy it would be if the software in question were actually on a machine owned by the company. So we have, for the software/computer company, a complete centralization of its control of software. Fortunately (hopefully) I don't think market forces will allow this to happen. It's all very well (and understandable) for a corporation using these products to want centralized control of their employees software, etc. It's quite another matter for these same corporations to allow their software/computer vendors to turn off their machines or software at will-- effectively allowing them to be held hostage by their vendors. Also, I wonder how many end users will trust all of their most valuable applications to such a centralized system which could also hold their documents hostage. Perhaps many. But, at least, the popularity of Open Source among users as well as more nerdy types indiccates that it won't be a complete sell-out by society.
  • I agree that the article has flaws, but I think that people are missing some of the key interesting points, particularly in regard to the idea of "equal participants."


    The average Internet user does not have the technical skills to evaluate things like the risk involved with various patterns of usage. Would you keep your daily schedule online, on some company's server? Many people do. There are other companies working on Internet-based storage. You store your files on their computer and then you don't have to worry about things like backups and disk space. They'll take care of that for you.


    For people who don't understand the difference between disk capacity and RAM capacity, or between a local drive and a network drive, how can they be expected to understand all the ramifications of a scheme like this? The car analogy *is* a good analogy: we don't have to know how the motor works because there are a lot of laws and precedents that protect us from poorly-designed motors. (And I think the percentage of people who *can't* change a blown tire is surprisingly high.)


    The average Slashdot reader is undoubtedly an order of magnitude more sophisticated about computers and the Net than the average Net user. (Don't congratulate yourself; it has nothing to do with intelligence and everything to do with what's important to you. Someone is not stupid just because the difference between RAM and a hard drive is not important to them.) It's easy to forget that the world is generally set up for them and not for "us". And it should be.

  • Good points, but I have one criticism:

    20-year old dumb terminals that were hard to use.

    OK, first off, I know that you're really referring to the programs which were running on the host to which those terminals were attached, not to the terminals themselves.

    With that out of the way, I'd like to say that in my opinion, a good ASCII terminal program can be simpler and more efficient than an equivalent GUI program.

    Have you ever tried to tell a clueless end user how to do something in Windows? It's tremendously complex, and pretty much impossible if you're on the other end of a voice-only phone connection. There are just so many variables in the GUI world, and so many points of failure or confusion, that it's insanity.

    Now click on File. It's in the upper-left hand corner. No, not the corner of the screen -- the corner of the window. No, not the inner window -- the outer window. Now click on Printer Setup. OK, now select your printer from the list. No, it's at the top of the window. No, click on the little arrow....

    On the other hand, with an ASCII terminal, assuming the software is any good, things become extremely easy. You can give clear, concise directions to the user; and users can actually write down procedure documents to tell each other how to do things.

    Press P. Now press the down arrow until your printer appears in the window. Now press the Enter key.

    And then there's that hideous Windows 95 Start button interface....

  • Get Ready for Rent-An-App [slashdot.org], August 15.

    Whole big discussion on the good and bad aspects of having your apps on a central server. From my point of view, the general concensus was that this is just a way for the corporations to make more money and to get more control over the averate user than they could get with normal apps.

    And i still want to know what happens when the central server dies, or some construction people accidentally cut the 'net (phone, T1, whatever) lines, or the net is just really really slow with all these remote-running GUI apps, etc. No one can get any work done, because no software is local...

    -----

  • Hmm, you know what I think is a huge security hole in Hotmail and numerous other Websites? The idiotic autocomplete feature in Internet Explorer! Why do I say idiotic? Because it is default turned on! Who's bright idea was this! I know that many people have been asking me how to turn it off and how to get their old passwords out of the things. I mean, how many people at a low level of computer literacy have accidentally left their passwords on school, library and other public computers by now. I'd be really interested to see that number.
    I remember my Dad used to be really paranoid about cookies, but this is worse, because even sites that eschew storing passwords, etc. in cookies can still be subject to the dangers of auto complete.
    Of course, this will not earn any big headlines because it is a "feature" of IE. Oh well...
  • Hmm, many of the ordinary POP3 E-mail accounts that you can get through, Outlook Express, Netscape, Pine, or Eudora can also be accessed here:


    http://www.mollymail.com [mollymail.com]


    Combine this with the auto complete feature I reference above... and how secure is any E-mail accessed through IE? Also, I've used hotmail to access my school E-mail accounts (I've been with them since before they were assimilated by Micros~1) because I know my school accounts can disappear at any time anyway (that's how it is at my school) so I'm not concerned about their security.

  • Reading this column, I just had an epiphany. As the author went round the bend from analyzing what the latest giant hole in HotMail meant to how this proves Open Source is an extinction-level event for Microsoft, I finally realized an important point I have been groping for the past several years.

    I can now characterize the primary difference between Linux zealots and BSD zealots in one simple phrase:

    Linux zealots are firmly convinced that Open Source software is going to save
    everyone, while BSD zealots only care about saving the nerds.

    Think about it: this simple difference in viewpoint encompasses the differences between the developer communities, the user communities, and even the hallmark licenses of both camps: the GPL which vests ownership of the code in ``the community'' vs. the BSD license vests ownership of the code with anyone who wants to use it.

    It is hard to say which will prove to have the longest lasting effect on the world at this point. I have a pretty jaded viewpoint on how much John Q. Public wants to be saved from the evil that lurks within his phone, television, or internet connection, so long as he can figure out how to use it by watching a video that is not more than 1 commercial break long.

    As for my house, we will stick with the nerds. I'm too busy to save the world. Even from themselves.

  • Decentralization in the form of end-user-run PCs doesn't solve any security problems. A single bad line of code in Windows opens up millions of Internet-connected PCs just as surely as a single bad line of code in Hotmail. But in addition to bugs, end users that maintain PCs generally have little experience or understanding of security issues.

    Central, server-based applications remove a lot of chores and cares from users. That's no different from other centralized utilities: people used to generate their own power and water, but today, most people rely on utilities. Those utilities generally do pretty well and provide reliable service. Occasionally, they do something dumb, or they just have bad luck, and a lot of people end up having service outages, but from the point of view of each individual, the service is usually still very reliable.

    From the point of view of security, a diversity of professionally run computer services both beats a Windows/PC monoculture and a single huge server.

    As for Hotmail--what do you expect? It's a free service, so why should they assume any liabilities? If you want a company that stands behind their security, you probably have to pay for the service. And you have to do a little bit of shopping to identify companies and vendors that actually care and know something about security.

  • That's why you don't say "Press F1" you say "hit the F1 key" (no most users will not strike the key with a hammer when you say "hit"). If this boggles them, you say, "should be right at the top". Then it's "hit the return key" if they're on a mac or most unix boxen, or "hit the enter key" if they're on a PC. Any good tech will know whether it's called Enter or Return to avoid lots of confusion.

    I'm just genuinely glad I never worked for external customer support, so users had to at least be able to find their ass with a map and compass in order to work there. Still, I've asked people what kind of computer they're running, and they say "NEC Multisync" (pronouncing NEC "neck" of course).
  • I pay with my valuable attention. If you don't think your attention is valuable then ask yourself why yahoo, hotmail, etc. are worth more than any retail chain of stores that actually sale you somtheing. People that sale "real stuff" need people to buy your time with "free" services.
  • Um, yeah, or you could just get a proper pop/imap box from somewhere other than your school and learn how to access it from another computer. It's not hard.

    Some cybercafes and kiosks make this a pain in the butt. Compared to running ssh java applets, Hotmail is just as secure (regarding snooping... ie. you still have to trust your home ISP admins if you're opening a SSH), arguably more stable, and a heck of a lot easier to setup.

    I was with Hotmail before Microsoft bought them. Do you know what I do with the account? It's what I put into all those boxes out on the Internet which read "Enter your email address here: (Mandatory)". It's my big spamcatcher, I open it up once a week or so, and wipe out oodles of junk-email... with the odd interesting post from some company which I'm actually interested in.

    I do have some personal email archived in that account... but it's nothing I wouldn't want the world to see. All very boring and normal. If anybody asks me about hotmail now though, I point them to other HTML mail providers, and I do tell them why... because Microsoft is too powerful.

  • I disagree. the Hotmail tagline is "Get your free, private email at hotmail.com". This implies (IANAL but I think LEGALLY implies it).

    Compare that to most "freeware" (beer/speech/sex) licenses that say something like "this software is distributed without warrantee or guarantee of any kind".

    I would say that the biggest mistake made by HOtmail was claiming that they were secure and private for so long.

  • guarantees that something will go wrong, especially when it's most needed to NOT go wrong.

    (Because yes, you can want things to go wrong....sometimes...)

  • Re:Wha? (Score:2)

    by JonK ( 82641 )
    > Sun makes workstations (You know, like PCs, only bigger) and operating systems, too. Sun couldn't
    > have possibly purchased Star Division to make StarOffice work better with these products, could they?

    They might have - but not according to Sun: see the press release at http://www.sun.com/smi/Press/sunflash/9908/sunflas h.990831.1.html [slashdot.org]. Do you want to get in a scrap with Scott MacNealy about his company's direction?
    --
    Cheers

    Jon

  • Re:Wha? (Score:1)

    by JonK ( 82641 )
    > Sun makes workstations (You know, like PCs, only bigger) and operating systems, too. Sun couldn't
    > have possibly purchased Star Division to make StarOffice work better with these products, could they?

    They might have - but not according to Sun: see the press release on Sun's [sun.com] web site. Do you want to get in a scrap with Scott MacNealy about his company's direction?

  • Um, yeah, or you could just get a proper pop/imap box from somewhere other than your school and learn how to access it from another computer. It's not hard.

    Until you find yourself behind a firewall that only lets HTTP through. And you will, sooner or later.

    (I haven't "signed up" for a Yahoo mailbox yet, but it's getting to the point where I might have to do that. Those of you who are still in school, or who work for an ISP, etc., might not be aware of how completely fucked-up broken many corporate computing environments are. At this one, for example, I can send mail from Microsoft Outlook to any domain outside the firewall, but I can't send mail to a Unix machine inside the firewall. And I can't run a POP-3 or IMAP client inside the firewall to connect to a server outside the firewall, because the firewall only lets HTTP (and FTP, sometimes) through. And the HTTP is censored -- some domains are blocked....)

  • The author seems to contradict himself. On one hand he argues that centralization of services by Microsoft and Sun is evil and on the other he says that "Self-regulation doesn't work anymore." And if self regulation doesn't work the what would? Govt. regulation? I should think not.

    Hotmail is not the the only kid in town. It seems everyone is offering free email theses days. So why do so many people use hotmail. Hotmail was one of the first web based email systems and had the largest user base. Thats why microsoft bought them. They saw it as a way to flash the microsoft name in front on more people. So now everytime the average joe gets on the internet, he fires up internet explorer(not netscape that would take a bais aginst ms since he already has a perfectly good web browser preinstalled) and sees FREE EMAIL on his default home page. The Hotmail user base grows exponitaily from all of this new advertising. And all ms did was advertise on their own site.

    But WHY do people uses it? Their ISP gave them an email account, which is arguably better. I started to say that it gives people a feeling of anonminity(sp) but most people use their real names and have probably never though about encrypting their email.

    Which brings me to my point. People, meaning the masses in general, want a centralization of services. MS and Sun know this and want to offer those services. "Aunt Suzie uses Hotmail so logicaly if I do too things might work better." Now, that much thought probably never go's into it but you get my point. People use hotmail of their "own free will". It's just Microsoft is getting very good at manipulataing that "own free will."

    sorry, It's too early to put very much thought into someting like this.
  • Comment removed based on user account deletion
  • I think that this will catch on, and here's why. Think of all the revenue that Adobe and MS and other software companies lose to people copying the software. They copy it because it's not all that hard to, and the software costs $300-$700 a copy. Most casual users don't want to pay that kind of money for a quality program when they don't use it more than once or twice a week (if that). Imagine an application service provider that has "lean" versions with all the capabilities of the larger copy (maybe only dl the tool when you use it, and then cache it or something), that you can't just copy onto your hard drive and use. Perhaps you sign up to this app serv prov (ASP) for say, $10-$20/mo and can use any of oodles of quality programs. If you use Photoshop, then the ASP gives a certain % or $ amt to Adobe. The software vendors make $ from it, the customer can have a choice of software they wouldn't be able to (legally) otherwise. The "power users" are the ones who generally buy the copy anyways, probably wouldn't opt for this. Maybe as an option to the service, you could choose to save what you make on the server or on your hard drive. If you need to access it somewhere else, then maybe leave it on the server temporarily. Yeah, there are some bugs (like how to stop people from passing the password to one account around) but those are the intricacies for the programmers to figure out. :) I prefer to keep my email on a server rather than on my local hard drive. There always comes a time where I have some info in my mailbox (saved or inbox) that I need to access, and wouldn't you know, I've got my laptop and not on my desktop, or I'm at a friend's house. Anything business related is on the company's server behind the firewall (which we use IMAP so it's always on the server, and with Iplanet, is accessible from anywhere, securely). Just because one "free" email service has a security hole doesn't mean that all internet services that store data are insecure.
  • As Bill Gates said in that Simpsons episode, "I didn't get where I am by writing checks." That is, Microsoft wouldn't be doing it -- and certainly wouldn't have paid beaucoup d'argent to do so -- unless they were profiting from the users in some way. A few ways, in fact; they include:
    • Viewing the ads. (Actually least important, given ads' relative ineffectiveness online.)
    • Marketing information. I don't have a Hotmail account, but I imagine they get enough info to sell to direct marketing -- even if 90% of their users explicitly refuse this, that's 4 million names. Take out half for fake accounts, that's 2 million.
    • Mindshare.
    • Mindshare.
    • Oh, yeah, and mindshare. "Who's the monolithic company that's an email machine to all the chicks? Microsoft!" MS makes more than a little money off the idea that they're huge and unstoppable.

    Ironically, MS probably perceive their reaction to this as strengthening that last point. With many people, they may be right. The message seems to be "shut up and take it, we own you." It's a lie, but I recall a certain other large organization based on the idea that if you shout a lie long enough and loud enough, people will start to believe it.

    And the Nazis weren't even incorporated.

    phil
    Kinda please with himself for worming the Nazi comparison in... :)

  • Okay, perhaps this would be why?

    Assumptions: Home (l)user, using windows, 56k modem (probably a "win"-modem) dialup internet access, doing taxes, versus some yet-to-be-implemented network computer setup that involves a minimal OS, connected to an 'application server' through something like a X session, or something.

    In order to get to your home windows (l)user, you've gotta get to them while they're connected, which could be for a day, or could be for 10 minutes, while they check their e-mail. And then, you have to hope that they haven't put that data on a zip disk, or a floppy, or something like that. And I know plenty of windows (l)users who save *everything* to floppy disks because they're "afraid of a hard drive crash that could wipe out everything". (keep in mind, here, that we're talking about the joe average home user, not the /. crowd. :))

    If this (l)user was using some sort of NC service, all one would have to do is crack the security on that service. Then you would have access to this (l)user's data, as well as everyone else's in one convenient package, unlike having to go from machine to machine to machine to pick up several users' data.

    This is not to dismiss the importance of the bug (or, wait, don't they call that a "feature"?) in either system. And it's kind of borderline 'security through obscurity'. But, overall, I think that I would feel more secure knowing that my data is stored right here where I can keep an eye on it, over having my data stored on some server located God knows where, that is constantly being hammered by attackers trying to get to this virtual gold mine of data. (maybe what I'm getting at is that my local PC isn't as attractive of a target as some NC server that has a few thousand people's data on it?)

    Just my thoughts...

  • There's no significance at all and I can't understand why this "hack" has created so much attention in the media. This isn't the first time that Hotmail has been "hacked".. It's really no big deal at all.. okay so this person has access to 40 million accounts or whatever.. ooOoh he can get into your MAIL! what will he find? Credit card numbers and super secret passwords?!!? probably not. If you keep lots of important personal stuff in your hotmail account then you're an idiot, but on the other hand like 99% of the mail they will encounter is either a) chain letters, b) an advertisement as hotmail is notoriously known for, or c) just a little email from one buddy to another.... yes there is the *possibility* for them to find personal information or whatever, mostly passwords for acounts on other services.. whoopee doo..
    but people get real.....

    Before hotmail was bought out by M$ there was a CGI error that allowed anyone to access every account.. *ooh* i haCkEd hotmail. yay lots of e-mail and if I'm actually bored enough to read all of this I may get some info out of it.... bah.... the only information I ever found was the dirt on a few girls I was interested in :) I got bored with it and actually felt guilty so a few months later I e-mailed hotmail supervisors telling them of what I had found and how to fix it.


    If hotmail or anything similar gets hacked/cracked again, the problem will be fixed in a heartbeat, just as this recent exploit was fixed. no big worry. the end.

  • If a hole such as this exists, in this day and age, IT WILL BE FOUND, and possibly exploited.

    Does anyone remember who cracked 32-bit RSA encoding the first time? I don't, but I'll bet some of you do remember that it took the combined resources of the Internet something like 9 months to crack one simple text blurb with 32-bit encryption. That's why it's effective, and the larger the encryption, the more effective it becomes.

    By comparison, how long did Hotmail even exist before they rolled out this "feature", what, two years tops? Furthermore, how long after they rolled out the unsecure "feature" did it get jacked? Not long at all. Are people going to ditch Hotmail? Hell, yes. Why? Because they can't trust it.

    What I'm getting at is that tracing the person who found this hole (I can't even call it a crack with a straight face) is less productive to the community at large than is 1) fixing the problem and/or 2) not letting it happen in the first place. If you're running a mail service, for God's sake, leaving a hole in it like that is inexcusable.

    Free is a very good price, as they're fond of saying here in Portland, but it's probably not a good price for mail services.

  • Okaaaay... Perhaps I'm missing something here, but just exactly why did this make Slashdot's "news-worthy" cut?

    Maybe the link's wrong, or it's written in a languagy syntactically identical to English where all the words have different menaing, or something because all it looked like to me was a lamer suit-type whining about his latest conspiracy theory.

    Case in point: Our friend the author here seems to think that since HotMail (TM and (R) as necessary) is an Internet-based service, it is inherently less secure than PC-based email. Okay, here's a question. Before I click that "Check for new mail" widget, where is my mail? OH MY GOSH! It's out there on that scary Internet! ARRRGH!

    Okay, that sort-of nullifies his whole argument. Email is spooled on networked machines anyway, not sent directly from workstation to workstation. He fails to realize that all email has the same potential risk, and the first line-of-defense has much to do w/ quality of server software, and network security. These things can be fixed to a large extent.

    Also, our friend the authordroid seems to be mistaking storing applications on a remote sever with storing data on a remote server. Is there really any problem with accessing an application via network that updates itself automagically and lets you save your data either on the server or locally?

    Perhaps, though... the application is really being controlled by pinkos hiding out at Sun who are reading your steamy letters to your girlfriend! Please! Enough with the conspiracy theories! Sun makes workstations (You know, like PCs, only bigger) and operating systems, too. Sun couldn't have possibly purchased Star Division to make StarOffice work better with these products, could they?

    No, one shouldn't have to be an auto-technician to drive a car, but you should at least know enough so that you're not completely stranded when your tire blows out, or know who goes first at a four-way stop. Does anyone know how we got to live in a society where people pride themselves on not having to know things?

    By the way, Mr. Stalder, that's HotMail Crack.


    From a Sun Microsystems bug report (#4102680):
  • As long as Microsoft exists they will be issuing security patches just so that they can claim a new "innovation" each time.



  • er, 'up at the top'. one tries to avoid using words like "right at". otherwise people will look for it at the top right. i'm so glad the clue level is higher here so i don't have to remember these things.
  • ok maybe this will clear some things up. Say you are on a cross country trip and your car gets into an accident alog the way. The police department comes out to save you. It isn't the police department that your local taxes pay for but they still help you right? its called a Public Good and ROAD SERVICE is a public good. Maybe i'm to young to forget facts..yeah your right
  • Has anyone ever seen any sort of guarantee on any sort of software? No?!? Didn't think so.

  • Re:Not self-regulation; market regulation (Score:1)

    by Anonymous Coward
    He made some specific points about microsoft but it seemed overall the scope was much larger. People have all these high powered workstations and what do they do? Spend most of their time connecting to huge remote servers on relativly low bandwidth connections. It's a nearly perfect irony. These centralized locations(not just microsoft) have tremendous power, having access to so much information but have to accountability as to the use of that power. You sign your soul away when you click on "agree". Market forces are irrelevant because there is no accountability *anywhere*. But the accountability is no problem. Because if the information is encrypted, wanna be pilferers will find nothing but a lump of near-random 1's and 0's. Encryption is an ideal solution for this problem. All data on the internet should be encrypted. Just seems sorta silly that all these packets are flying around, unprotected for anyone to grab. It reminds me of the old days when an entire town shared the same phone line and could listen on anyone's phone calls. The internet needs to be blind and deaf at all places in between destinations, it's the only way.

  • Wrong! (Score:2)

    by Anonymous Coward
    The article's author is wrong!

    This BS about the dis-empowerment of the user is starting to become tiresome.

    He's right, PCs DID empower the user. Anyone can buy a PC and be as empowered as they'd like. Install any OS you want. Write all your own applications too if you want!

    The 'average' user has been empowered past his capacity. He has the tools to do anything with a computer that Microsoft or Sun can do. He doesn't have the ability and since he's a single person, he doesn't have the time.

    So companies full of smart people get together and pool their collective resources and they create services like Hotmail & Star Office Portal.

    Does this dis-empower the user? No. These services are optional and free. The user can try to make his own mail & office suite.

    Does this empower the user? Yes. You can do more with these services than you can without them. They cost nothing and they're optional.

    Did the phone company disempower people? How about electricity and running water? How about oil companies? After all, before these companies, a person could get water from a well or pump their own oil and refine it themselves to power their own generator to make their own electricity. Now THAT's autonomy!

    Here's a suggestion: stop keeping score of who's powerful and who's weak and go get something done! Star Division and Hotmail created good products that have helped a lot of people. What have YOU created that's helped a lot of people?
  • As services on the net become ubiquitous and even your grandmother starts to use those services, I suspect that things will be changing. For the most part, I thought the story was a bit bogus, but the last statement was interesting:

    Another way is to create mechanism of accountability, which replace fancy worded "commitments" with "binding obligations" so that screwing up really hurts. Like in most other areas of life.

    I suspect that the truth of the internet service future is summed up rather well here. The more folks use these services, the more pressure there will be for providers of these services to be accountable. Admittedly, policing the net seems intractible. On the other hand, that doesn't mean some bright cookie won't figure out a decent way to deal with it.

    For instance, what if Texas decided that it would make net service providers accountable for the stability and security of the services they provide? Maybe they would let anybody sue a Texas provider that didn't meet that provider's claims of stability and security in the hopes that companies would flock to Texas with the idea that net-users would consider Texan providers more accountable, hence generating more business localy?

    IANAL, but such things seem at least possible. Or maybe there is a completely different idea out there floating around that would produce the same result.

    I suspect that in a world which allows idiots to sue McDonald's because the coffee they ordered was actually hot will eventualy devolve into a world in which Joe Average can sue Provider-X for losing his index.html and not having a backup on the server.

    I don't like it, but that seems to be the way things are going.

  • my mistake. Nice job of proving me wrong...

    -brandon

  • fat client vs. centralized server (Score:2)

    by Anonymous Coward
    The article misses the point of manageablity of fat clients versus a centralized server. A bug in a client program can take man-years for the fix to propogate. Think of the small problem found with Vixie cron recently, and estimate how many man-years of Linux admins' time was used to fix each individual system and how long it will be before all of the vulnerable versions are updated. Now, think about the collective time it takes the world to fix a problem with slashdot. Rob fixes it once, and it is fixed for everyone. This is why Microsoft having to fix a single server program isn't nearly as big of a deal as something like the Window's ping of death (that requires a fix to each individual machine). Solving this problem of propagating fixes is how I make my living. I convert legacy dBase and FoxPro programs (that companies are sick of having to continually update versions on potentially 100's of clients) into web-based applications written in PHP/MySQL.
  • Recently, my ISP added a "HELPFUL" page on it's Web Page that lets me access my E-mail through HTML, insted of the regular POP system. I didn't ask for this. I don't wan't this. Until recently, I just ignored it. Though I have read as much information on the Hotmail Crack as I could find, I haven't been able to determine if whatever happened to them is something I need to be worried about or not. Is/was the Hotmail crack something specific to their implementation, or was it something about the HTML interface that caused the insecurity?

    Nipok Nek

  • Re:Wha? (Score:1)

    by Keju ( 82514 )
    The majority of desktop users are running a particular OS that will remain nameless. A single security hole there can and does have serious ramifications. How is this any different from putting all your eggs on a server?
  • Hotmail is Apache on FreeBSD (see here [netcraft.com] for details). Microsoft just own the site: there's no NT and no IIS there at all. See the thread when this was first announced about a week ago for plenty more ignorant pro-*nix FUD.
    --
    Cheers

    Jon
  • JP said:
    Email is spooled on networked machines anyway, not sent directly from workstation to workstation. He fails to realize that all email has the same potential risk, and the first line-of-defense has much to do w/ quality of server software, and network security. These things can be fixed to a large extent.

    Actually, the first line of defense should be part of the e-mail *client*, not the server. It's the last paragraph of this article that indirectly points this out--the paragraph that says "Free, easy to use, public domain cryptographic tools are a necessity."

    Crypto is your only real privacy protection. It's ridiculous that it's not readily available for everyone--it's not as if the technology isn't there. No, this won't stop DOS attacks and such, but it will guard your e-mail from prying eyes.

    By the way, you may actually have better privacy on Hotmail than on your ISP. I've talked to former ISP employees that admit to printing out their users' "juicy" e-mails and passing them around the office each morning for fun. Besides that, cool software like Ethereal [zing.org] makes e-mail passing through your network segment on it's way to the server quite easy to read if it's unencrypted.

    If you expect anyone other than yourself to protect the privacy of your e-mail, then you are kidding yourself.

    numb@g27.org [g27.org]

  • Do we have to pay for our roads? No...and they seem to work just fine. Except in Michigan... -brandon
  • Hey look! I found all the commas missing from that article in my couch. ----> ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,

  • It's funny how those little "technical details" can make the difference to a story ...

    suspect that in a world which allows idiots to sue McDonald's because the coffee they ordered was actually hot will eventualy devolve into a world in which Joe Average can sue Provider-X for losing his index.html and not having a backup on the server.

    I used to think that suing McD's for hot coffee was stupid too, until I learned some more details about that case. IIRC, the temperature of the coffeee was 170degF, about 50degF higher than food service "industry standard." This is hot enough to cause third degree burns. The lady who sued McD's originally approached McD's to see if they would cover her hospital costs for those third-degree burns that the spilled coffee caused her. When they told her "get lost, that's not our problem," she then got a lawyer ...

    It was uncovered, as part of the fact-finding for the case, that McD's in general, and that particular restaurant, had received numerous, documented complaints about the temperature of the coffee being high enough to cause burns. Yet McD's had chosen to ignore the problem. It was this pattern of negligent behavior that lead the jury to award punitive damages as well.

    McDonald's never admitted fault or responsibility, but for some mysterious reason, they soon after changed the settings on their coffee heaters down closer to 125degF, not hot enough to burn.

    I'm not sure it's possible for an ISP to be this recklessly negligent concerning human health -- it's awfully tough to hurt anyone with bits and bandwidth. While there are stupid lawsuits and greedy lawyers out there, there are also stupid, greedy, negligent companies out there who won't do the right thing unless a judge makes them do it.

    "Morality cannot be legislated, but behavior can be regulated. Judicial decrees may not change the heart, but they can restrain the heartless."
    -- Dr. Martin Luther King, Jr.

  • it took the combined resources of the Internet something like 9 months to crack one simple text blurb with 32-bit encryption.

    I believe you're referring to a 56-bit RC5 key. You can check the distributed.net [distributed.net] archives to find the details.

  • ...is that every time some lame M$ site is cracked, people start thinking none of the Internet is secure. When a virus strikes some Windoze 95 workstation, they figure no OS is secure. When their precious NT workstation bombs, they think it's to be expected from any networked workstation.

    Hotmail being cracked is not the end of Web-based mail. It's just a sign that M$ isn't doing its homework when it comes to security, and that people should withdraw their support for companies that do not provide secure storage and operation, if it's an important concern of theirs.

    It certainly is one of mine, and all it means is that I use encrypted Webmail for less significant yet private issues, and PGP when I want real privacy. And it's why I do not have nor ever had a M$-owned Hotmail account.

    "There is no surer way to ruin a good discussion than to contaminate it with the facts."

  • Wrong, wrong, wrong. (Score:4)

    by mnot ( 71203 ) on Thursday September 02, 1999 @06:13PM (#1708033) Homepage Journal
    ...With[sic] sounds almost like mainframes all over!

    You're not rebuking the idea of centralised computing, you're playing on people's prejudices against 20-year old dumb terminals that were hard to use.

    In huge centralized system the effects of such attacks are greatly magnified because one single line of code can suddenly open millions of mailboxes.

    And one line of bad code can't be much more of a risk on millions of PCs running the same (browser, e-mail, etc)? At least on a centralised server, it can be fixed for good, by qualified people.

    You invariably end up with no rights what so ever, and you are likely not even to know it because you would have to be a computer scientist and a lawyer at the same time.

    What exactly does this have to do with the matter at hand? How will putting a PC that needs to be configured, maintained and supported on every desktop help here?

    Centrally managed computing (like Sun may offer) is a good answer for companies that need to manage hundreds or thousands of desktops for clueless users in a sane manner. Noone is shoving anything down your throat. Yes, believe it or not, the big, nasty corporations aren't, in this case, trying to rob you blind, curtail your precious rights, or anything else. They just don't care.

    The key different between HotMail and StarOffice (as a service) is that StarOffice will run INSIDE the company, and therefore be the responsibility of "friendlies", NOT an external service provider.

    Of course, they'll probably make it a net-available services as well, but so what? Big corporations *gasp* are still responsible for writing a lot of the software out there.

    I don't know exactly what the author is trying to do here; it seems like they've strung together a list of 'hot-button' issues to make some kind of statement, one that we've heard many times before. It doesn't add anything really useful.

  • While I don't claim to agree with the authors examples, (In fact I think many of them are just plain wrong), I do see that in the future, as we attempt to use more centralized forms of data storage, a single crack can cause more damage than ever before.

    I kind of feel that this comes back to the old addage, "Don't put all of your eggs in one basket." While there is nothing evil about centralizing information, the consequences of a single crack are far greater... while the danger is still the same...

    From a users standpoint, when you put your money in a bank, you kind of expected to be there when you need to withdraw it... the bank should not be loosing your money all over the place...or have your money stolen by Kro0kS... you don't really need to know how the FDIC (I think) insures the funds... you just expect your money to be safe. I don't know if any of us (well, most of us?) really understand the safe guards on our bank accounts, nor on the global ATM network...

    Ideally, a system, such as Hotmail [hotmail.com] should be secure. Granted, total security is never possible, but it should at least be reasonably secure...

    In short, distributed computing poses the same series of dangers as a centralized network, but generally the reprocussions of a crack are not nearly as bad on a distributed network...

    Don Armstrong -".naidnE elttiL etah I"

  • Re:Wha? (Score:3)

    by jflynn ( 61543 ) on Thursday September 02, 1999 @07:29PM (#1708056)
    "Okay, here's a question. Before I click that "Check for new mail" widget, where is my mail? OH MY GOSH! It's out there on that scary Internet! ARRRGH!"

    Well you just said it -- *new mail*. Sure your e-mail passes thru the internet, but it spends very little of its time there. Most of my e-mail has been safely in its folders on my system for months, and only on the internet for hours.

    The other issue is concentration of resources. Sure its cheaper and easier to keep 40 million people's e-mail (the entire history for many, not just their recent e-mail) on one set of large servers. But that same concentration means one single flaw in security can expose that entire quantity of e-mail (as was just demonstrated.) When e-mail is stored locally on end-user's machines the risk is distributed, and each person can be more responsible for their own safety.

    "Also, our friend the authordroid seems to be mistaking storing applications on a remote sever with storing data on a remote server. Is there really any problem with accessing an application via network that updates itself automagically and lets you save your data either on the server or locally?"

    You know, I think thats an excellent idea for web apps like StarOffice and HotMail, keep the files locally, the applications centrally. But I get the impression it wasn't an option for HotMail. It won't be an option for those on WebTV either (like we care -- I know.)

    I have nothing against Sun's plan to market web applications, they have a lot to recommend them in ease, price, and convenience. We have to be realistic about the flaws too though, or we're going to see too many more incidents like the recent HotMail crack.

    Jim


  • Although the article raises some interesting points, it paints with too broad a brush when saying that computer users are becoming disempowered. It's yet another case of statistical generalization, which may delight journalists and politicians but is always very annoying to those that don't follow others like sheep nor benefit from it. Some users are disempowered, yes, namely those that are not able to assess for themselves whether relying on a service like Hotmail or a company like Microsoft is a good idea, and those who are not able to make the right evaluation and move to other pastures. But does it disempower you, as Slashdot reader? Almost universally, no, because for the most part people who use this forum are competent enough to know when to leave a sinking ship or not to expose themselves to the hazard in the first place. We're not the Borg. We're individuals, and just because statistically something appears to be happening to some computer users doesn't mean that it is happening to computer users in general. There always will be people who are challanged in one or more areas and who as a result are prone to some group-specific ailment, but you can't extrapolate from that to the universe of people when that universe is as diverse as that of computer users.

Slashdot Top Deals

For large values of one, one equals two, for small values of two.

Close