Slashdot Mirror

Don't worry. From the Passport Q&A:
Why should I trust Microsoft with my information?
In recent years, Microsoft has consistently been ranked as one of the most respected corporations in North America by the general public.

In addition, Microsoft has been a champion of Internet privacy standards and privacy organizations for many years.

See? Nothing to worry about. Microsoft is one of the most respected corporations in North America.

We, the saavy users know that plain text transmitted over SSL is anything but insecure. We also find out at least a little about how something works before we comment on it.

Only some of these are owned by M$: http://www.passport.com/directory/default.asp

When I try to login to Hotmail (which I never use, but have anyway) I get the following message:

"Our records show that you are under 13 years of age. As a result, a new law requires us to get your parent's permission before you can continue to use Hotmail. We use Kids Passport to get permission from your parent so you can start using Hotmail again right away! To get started, answer the question below.

Is your parent with you right now? Y N"

Though it is nice that they are following COPPA, I am 32 yrs old. Answering no to the question brings me to a screen where I enter my parents email address and they send off a note to get permission. Saying yes gets me a screen where I verify that I am the parent of myself, etc.

I don't want to falsify this information, for fear of breaking their agreement, nor do I want to get my mother involved (I am not sure if she would understand that she needs to OK me to access email, and I don't want to get her involved with Microsoft).

I cannot figure out how they know my age (erroneously), except I ruitinely skip that whenever asked.

So, how do I get my spam from my hotmail box without breaking Federal law or Microsoft's aagreement, and at the same time leave my parents out of this.

// Klaus
--

Because the Antarctic is a lonely place for Penguins. The Linux Pimp

In addition, I'll say that if you try to access
http://lc3.law5.hotmail.passport .com/cgi-bin/LOGIN
it's OK as well as
http://lc3.law5.hotmail.passport .com/cgi-bin/login which is where you're originally redirected.
This could mean that these servers are case insensitive and doing so they are Win32 servers.

But I can be wrong too :-)
Fred

In addition, I'll say that if you try to access
http://lc3.law5.hotmail.passport .com/cgi-bin/LOGIN
it's OK as well as
http://lc3.law5.hotmail.passport .com/cgi-bin/login which is where you're originally redirected.
This could mean that these servers are case insensitive and doing so they are Win32 servers.

But I can be wrong too :-)
Fred

• 953 "Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b"
  
• 47 "Microsoft-IIS/5.0"
  

According to the Terms of Service, you are not allowed to use Hotmail for your primary business address. So Mr. Joe Cheapfuck really has no reason to bitch when M$ shuts down his joesreallycoolbusiness@hotmail.com account.

From here: Hotmail does not condone or support the sending of junk e-mail (aka "spam") through our system. The Hotmail Terms of Services (TOS) strictly forbids sending unsolicited e-mail and we terminate all reported accounts that are in violation of the TOS. If you do receive unsolicited e-mail, report it to abuse@hotmail.com. Remember to include a complete copy of the message, including the full message headers. Have you tried this?

With a privacy policy like this one?

I guess that Joe A. Verage internet user is going to think, "Hey! They DO have a 'Privacy Policy' so I MUST be virtually anonymous!"

You can create an account with all your details on http://www.passport.com and when you shop on any of the participant sites you don't have to enter any information. For a list of the participant sites go here.

You can create an account with all your details on http://www.passport.com and when you shop on any of the participant sites you don't have to enter any information. For a list of the participant sites go here.

Why is there such need to gloat about Microsft's mistakes? Does pointing them out make Linux or whatever operating system you use better?

In the end, Chaney did a good turn and set a good example. Enough said.

Acording to ms own press release, (found at:http://www.passport.com/directory/) this isn't just a hotmail issue. They have several domains signed up to use a service that ms itself wouldn't pay $35.00 to maintain.

The list: ArtSelect.com
BottomLineMac.com
Buy.com
CDW Computing Solutions
Costco Online
Crutchfield Electronics
ephones
ePCdirect.com
Flowerbud.com
Flowersandgifts.com
FurnitureFind.com
Giftpoint.com
Kabang.com
LEF.org
Lodging.com
MSN eShop
MSN Gift Certificates
My Shopping Club
OfficeMax.com
RedTag.com
Sandrine.com
TooHome.com
Toytime.com
Umbra.com
VCOM.com
========
Like most linux users, I would like to see electronic comerce thrive and progress, but in a safe secure manor.

Therefore, we should consider it our duty to inform the webmasters at these domains that ms doesn't have there interests in mind. That ms could care less about the success of there venture. That ms left the passport.com domain down in the middle of the holiday buying season, and that they should be held liable for all contracts expressed or implied.

If we each pick a domain and send an email informing them (be nice!) of the way ms has handled themselves in this situation, perhaps they will think twice about partnering with a monopolist that wouldn't give $35 to help them.
_________________________

I just went through the Passport setup process to see what they require. You do have to supply a password which "

Must be at least 8 characters long, and can contain numbers and/or letters, but no spaces. Make sure it's difficult for others to guess!

But you also give them a question to ask in case you forget your password and there are no requirements for the complexity of the response, (in fact this process almost ensures that a dictionary word will be used by the typical user, though they do warn against this.)

Also, this whole process apears to be done unencrypted (at least it doesn't use SSL) except your password is masked out. (The answer to your question aparently isn't).

Since MS is trying to establish a standard for ecommerce, you would think that at a minimum it would require something more secure than an 8 character password (ie 36^8 possible solutions roughly equivalent to 40bit encryption). Also note that when you sign-in to passport, it isn't over an SSL connection either. Also, hotmail users are being encouraged to use their hotmail username/password for their passport account.

I just went through the Passport setup process to see what they require. You do have to supply a password which "

Must be at least 8 characters long, and can contain numbers and/or letters, but no spaces. Make sure it's difficult for others to guess!

But you also give them a question to ask in case you forget your password and there are no requirements for the complexity of the response, (in fact this process almost ensures that a dictionary word will be used by the typical user, though they do warn against this.)

Also, this whole process apears to be done unencrypted (at least it doesn't use SSL) except your password is masked out. (The answer to your question aparently isn't).

Since MS is trying to establish a standard for ecommerce, you would think that at a minimum it would require something more secure than an 8 character password (ie 36^8 possible solutions roughly equivalent to 40bit encryption). Also note that when you sign-in to passport, it isn't over an SSL connection either. Also, hotmail users are being encouraged to use their hotmail username/password for their passport account.

Where is the Passport profile and wallet data stored?
All Passport profile and wallet information is stored on secure Microsoft servers. Passport is subject to its own privacy commitment to its members, which prohibits Microsoft from sharing or selling members' information without their consent. Participating sites will also be able to store core profile and wallet data on their own servers. [my emphasis]

WTF is this? not only do we get the world-recognized insecurity of MS, but they have the option of whoring out Passport users' CC numbers to other parties?

*sigh*

The only benefit for the server model is that you could buy stuff from any computer, just by (somehow) accessing the Passport information. Of course, there better be some fairly sophisticated [read, cumbersome and inconvenient] password protection on Passport, then. And then, wouldn't this add to the inconvenience of the shopper?

The client-side models require you to input the information (only once, of course) on each of the computers you want to spend money from. Now, this doesn't seem like a huge inconvenience, really; certainly contrasted with the potential inconvenience of having somebody with evil intent [not naming any names] getting a copy of the server database.

I was disappointed, but not particularly surprised, that there was virtually no reference to security in the PressPass "Q/A" report. There were absolutely no assurances about what protection Microsoft would employ to keep your data private, no assurances whatsoever that Microsoft wouldn't abuse the information. I found the example of storing the address of your parents, say, with Microsoft particularly chilling. What a remarkable web of consumer information could be woven if everybody input their personal relationships into the Microsoft monster.

The page on passport security and privacy also, remarkably, passes up any opportunity to reassure users that Microsoft won't misuse the information that you give it. They do say that they won't share your personal information with others, but it will get to the point (if this is successful) that the rest of the world could be ignored, to a first approximation. There's nobody that I'd be less happy to have this information than Microsoft, themselves.

I predict, sadly, that this will be a spectacularly successful product.

thad

Hotmail informs that it's only a potential security issue. They claim they took the server offline, but from what I have read on /., it took far too long. I'm happy I stopped using the service when Microsoft took over, although I believe that the hole has been there for a longer time than just a couple of hours.

Why should I prove somthing I never said? I said that MS marketing people have often mentioned they'd like to increase NT's presence at Hotmail, not that there are plans for wholesale conversion.

In addition, it looks like they have increased NT's presence at Hotmail. They added Microsoft Passport to Hotmail, and I am pretty sure that the Passport servers are running NT. So at Hotmail you now have the Solaris/Apache boxes listening to NT machines running brand new software for account authentication. This might be where the exploit lies (or it might not).

----

I don't get spam from Hotmail on my main account. Of course, I'm very protective of the one main e-mail I have. I should lok on Deja to see what the reaction is. Read their security page. Changing passwords will not help fix this. I am assuming this at the moment also violates their Trust-E statement since they say that Profiles are kept on a secure server not accessable to the public. But you can get into people's e-mail accounts and view their profile, which make the whole system exploitable. Anyone who sends any credit cards numbers out through hotmail already has a problem. Ooooh, scary! Hotmail's Security Page

Well that's interesting.... it seems as if this might be caused by Microsoft Passport. After all, since Microsoft Passport is Microsoft's new 'tool' for getting into websites without reauthenticating, they had to have some FUD to promote it..... Take a look here to see the MS FUD on "Passport Security".

Is it just me, or have others also noticed a couple
other articles on this topic? It seems to me, all of these
are just a preamble of a hype-storm for the Microsoft
solution to this problem. go take a look at this
Hotmail is already using this, but i don't know of any others yet.
i am thinkink this could really become big, and could really give MS
a monopoly on website user authentication. How about moving quickly, and developing an open source standard similar to this?

Linuxghoul