Slashdot Mirror
Hotmail Hacked
SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.
Isn't this *after* they started moving a lot of servers to windoze from FreeBSD
:)
Yes, probably flame bait...it's in the hostmail system...so no blame on the OS
Chaos, Mayhem, and Destruction: Not
More info on MSN UK
Riight, odds of that are what? Take a given hotmail account, and then guess which couple hundred message IDs out of 10 billion correspond to something in their mailbox. Fuck you taco, that's not a security hole, thisis a security hole.
I feel compelled to say something about pots, kettles and African-American's here. Slashdot has had and continues to have numerous holes.
I'll skip over the 2 times that you were hacked and focus on a pair of luckless users:
AxelBoldt and Randal Schwartz.
Both these users had their accounts stolen by a brilliant and handsome young foot-fetishist due to flaws in slashcode. Axelboldt used "AxelBoldt" as his password, and was then embarassed to find several passionate screeds about Heidi Wall posted under his name. Poor Randal Schwartz posted even more embarassing material, but that's what he gets for using a password of "slashdot".
Anyway Rob, I'm not criticizing, I just think that before you go casting stones at hotmail, you should at least enforce some password standards on slashdot and develop a method of detecting and blocking the dictionary attacks I've been running.
Your friend,
--Shoeboy
I don't mean to be a stick in the mud but this information clearly lays out how to hack into a privately owned computer system. This is illegal in most countries and as such whilst Slashdot don't censor their posters (free speech is something i'm all for) allowing this to be moderated up shows the sort of people that this site is being controlled by - and a smart lawyer could argue that the promotion of this item constitues the marketing and or distribution of this illegal material thus making slashdot and its owners accesories after the fact to a crime (yes hacking is a criminal offence with jail terms)
Just a point - now if you guys have a brain you will mod this back down or remove it - i think its an interstin post but i would encourage the users NOT to post full exploits but a link to a page (use geotcities or someone similar) off site - as you cannot be held responsible for it (pretty disclaimers aside you are legally responsible for the content here - its just that no one has decided to pursue it yet)
YES I AM A LAWYER
i'll try one time. one time only for whatever big number people are going for. i won't try it again, i swear. (bye bye karma)
Go green: turn off your refrigerator.
bwahahahahhahah LOL! you bastard you almost made me spew iced tea all over myself. hahahahha
I've heard that this hotmail problem is very similar to a huge gaping hole in the arse
There's actually now two win32 binaries that demonstrate the exploit. The first requires you to log into hotmail to set the cookie, the second allows you to do that from the program's GUI.
Nope - under the law his intent would be sufficiently demonstratable - That is he knew or had a reasonable knowledge that by posting said information here he would be promoting and facilitating the hacking of a secure system (and the law would define this as a secure system in that it requires passwords and membership for access and the users have a reasonable expectation of privacy) thus his intent is clear in legal terms - this is all the law requires in terms of inent and the type of forum becomes largely irelevant.
/. to understand that there are legal ramifications of their actions and i suspect one day they will get hit over the head with the legal stick - hard
/. constantly plays host to incitments to commit DOS attacks, Hacks, send mail floods, posts confidential information (this is IMHO a good thing BUT there are consequences) any good lawyer would be able to use this to show prior actions and thus establish tacit if unspoken consent of the poster and his opinions.
This would be sufficient in a civil case to obtain a succesful verdict for damages (expecially once the prosecution has painted the old hackers and evil crackers picture for the Jury).
I dont think this will happen but it would be a good thing for
Important Stuff:
Please try to keep posts on topic.
Try to reply to other people comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
Problems regarding accounts or comment posting should be sent to CowboyNeal.
For more informaiton
Important Stuff:
Please try to keep posts on topic.
Try to reply to other people comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
Problems regarding accounts or comment posting should be sent to CowboyNeal.
For more informaiton
Slash ain't no linux cult
Slash mean posting for yourself
You aren't slashdork cos you wear thinkgeek
When a mod still lives inside your head
Chorus:
Nazi Mods
Nazi Mods
Nazi Mods...FUCK OFF
Nazi Mods
Nazi Mods
Nazi Mods...FUCK OFF
If you metamod get outta here
You ain't no better than the authors
We ain't tryin' to be geeks
You ain't Jon Katz, this ain't YRO.
Chorus
Ten guys post first, what a troll
You mod each other, Cmdr. Taco wins
Mod me down then you post AC
Post logged in if you got real balls
You still think penis birds look cool
The geek profilers run your schools
They're Taco, bitchslappers and Sims
In slashcode 2, trolltalk was first to go
Chorus
Trolltalk was first to go
Trolltalk was first to go
Trolltalk was first to go...
--Rod "Cmbr. Taco" Malda
oh and by the way, i am a karma whore...isn't everyone?
I'm not.. Karma This!
I know the domain will show up, I'm not attempting to hide it. No obfusication with google's translations or whatever. I just wanted to show you not everyone really cares about karma.
(Plus I just once wanted to post a goat link.. Scratch that one off the list of things to do before I kill everyone.)
For a good time call www.sawkie.com
Yes, perhaps one unfortunate day it will be illegal to explain security vulnerabilities in depth, but until then there's little wrong in supporting open disclosure. Security through obscurity doesn't work.
Please explain to me how open disclosure of the details of how this hack is performed helps in this case. This is a closed system. Knowing the details of how the hack is performed doesn't help anyone in the general population fix this problem. It just allows malicious people to invade other people's privacy.
I can understand posting that the bug exists, and general information so that people have an idea if their information is at risk. I think it's great when white hat hackers let a company know that they've got a security hole, and give them a chance to close it. If they don't make an effort to close it, then there may be some justification to full disclosure.
However, claiming you've wearing a white hat while feeding the script kiddies info, when there's no real possitive effect is a load of bull. These people need to learn the difference between helping others and feeding their own egos.
The slashdot community often seems to get up in arms because the media doesn't understand the difference between a hacker and a cracker. Maybe the media can't figure out the difference, because the hackers and crackers can't figure out the difference either.
Oh sure, next thing you'll tell that santa claus isn't real!