Slashdot Mirror
Hotmail Hacked
SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.
Score: -1, Redundant
"He was a wise man who invented beer." -- Plato
"The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.
I suppose the quux is whether I'm an "average person" or not. I think I'll go stand in the street to hedge my bets.
I/O Error G-17: Aborting Installation
*whew* Good thing I still have all those y2k
supplies.
"In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said."
Bring me these experts. If someone thinks my hotmail account(s) leave a clear trail to me, they're insane. They leave a clear trail to my web proxy, perhaps. Most of my accounts only ever receive one email too... "Slashdot password for user Vladinat0r"
Sigh. Experts indeed!
You need to guess the message ID, a longish string based on a timestamp and another number. And once you do that, you still can't read other messages from that account unless you guess them separately. You could try brute-forcing the message IDs, of course, but then you're relying on a fast connection (I believe there are 60 possible message IDs per second, and you rarely know exactly when a message was processed anyway) and fast servers. Besides, after all this, you'll probably find that all the target account's real mail was automatically deleted to make room for WinXP.iso.bat, attached to a message asking for advice.
Gates' Law: Every 18 months, the speed of software halves.
Guess they haven't gotten rid of Code Red yet!
(For the humor impaired: no, I did not actually do the telnet session.)
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Now anyone can get in and read all the porn ads I get in my hotmail inbox.
The Internet is generally stupid
I'm glad for Onebox and my regular email accounts.
Sure, some would say, "It's free; shut up!" But: MS is __still__ claiming to provide a service even though there is no direct cost to me. That there's no cost doesn't mean I don't expect the service to be useable. My recourse is to leave. Is that what MS wants?
Oh, as an aside, I hope the message #292192399 bug is never fixed - "Imagine if there's no First Posts...It's easy if you try..."
-- @rjamestaylor on Ello
A monopoly is a scary thing.
Despite the fact that MS beleives very firmly in a security through obscurity model of business, they have both benevolent and malcious hackers and crackers world wide working to expose as many of their security holes as possible, thereby forcing MS to patch those holes. Code Red would still be unpatched if eEye hadn't released it's exploit POC. This exploit would still be out in the open and freely abuseable if it hadn't been released.
Since MS is the 'standard' for most internet users, it's also the recipient of all the world's security unsolicited security advice.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
And Yahoo! Messenger kicks AIM's and MSN Messenger's asses.
Why tempt fate?
Send your friends messages of love at fuck-you.org
For script kiddies who don't want to be bothered with the detailes, there's even a Windows program that automates the process.
Ya know, it you could some how get that posted out somewhere that has greater volumes of general everyday traffic, maybe the rest of the public would start to get the hint at how bad MS is with security issues.
:)
What would be really interesting is to show an example hacking the rest of the sites that use Passport type technology. This would definitely blow holes in MSs idea of being the "gatekeeper".
Our better yet, it might just close the gate!!
Cal
blah blah, we expect this from MS... blah blah, when will they get their act together...
This was already posted to BugTraq not too long ago. For a more technical breakdown of the details surrounding the Hotmail vulnerability, go here:
http://www.securityfocus.com/archive/1/205785
- tre
http://piclabs.com
* Will someone please think of the children! *
Please email all complaints to root@127.0.0.1 and the issue will be dealt with in due time.
"However," Microsoft said, "we recognize the concerns raised in the computational infeasibility of this mechanism and are investigating ways that we can raise this bar even higher."
Like Taco said...you just can't make this stuff up. That response is just too funny.
The more parts of a program you have refferencing any single variable in programming C/C++, the more chance for a margin of error you have
Security works the same way. The more places you use a key, or the more people you give a copy of your key to, the higher risk you have for errors, being hacked, identiy theft, being robbed, etc. A 'single sign-on' like the MSN/Hotmail passport or AOL's new Single-Signon or Screenname (not sure what they are calling it) that all AIM accounts/AOL accounts now have become are just another invitation of risk.
Users need to be alerted of this fact, that these systems may not be secure, and users need to understand that the more people who they use their single sign-on for, the higher the risk becomes.
In this situation though, you have to wonder. If the person issuing the 'keys', microsoft in this case, does not do a good job of protecting them and making sure that their security is up to date, can it be any better than if you had a safe deposit box that sat unlocked in the middle of Times Square?
I can't wait to see what happens when in addition to all these Single Sign-on and Passport type programs, that we have Digital Signatures too. That should be interesting.
[Something witty and intelligent should have appeared here.]
{Traicovn}
I'm glad I stopped using them years ago, when M$ took over. I kinda new that their service was going down.
Lets see, they were hacked once, then the red worm did a little damage, now they are hacked again... hmm can't wait for .net, so that everyone can read my design documents. hmm do you think they 'll have local or remote storage with .net???
It's to bad that they are such a hackers target and they do little in the way of security. I wonder how strong the M$ firewall will be in XP..
I know it may seem a bit trollish, and would be suprised if someone did not ask quesitons, but then again there are those that follow blindly.. Are you a sheep or a wolf?
Only 'flamers' flame!
Im so glad they found this flaw (one which from the reading isnt all that new) as now we know that our hotmail can be read by anyone - how ? well the kind hearted uber skilled hackers didn't just post this to MS did they ? naaah they posted ot everywhere - its the talk of IRC etc etc.
Im so glad hackers keep 'finding' things, like credit card numbers, ways into banking systems, viruses like code red - makes me feel warm and fuzzy.
My question - not to be a troll - is this (and this does not just relate to MS products but im asking a serious question)
if this security flaw had not been found (by these guys looking for a way to break into hotmail to read peoples mail) would anyone have been affected ? i mean if the flaw had to be looked for with carefull thought etc then was it a real serious issue BEFORE these guys told everyone ?
networks can have flaws and holes, open ports etc left active by a careless admin - not the best i know but big systems have a lot of work and these days we are coping with less staff (i know my company is) so sometimes things slip through.
But these guys go and look for the exploit (i mean what other reason would you have to search for this exploit BUT to be able to hack in and read mail? and then why tell everyone?
These things need to be fixed i agree but if no one wold know they were there expect for some kindly souls seeking them out then how much of an issue are they ? Are we just accepting that hackers are a good thing cause they find these problems ? what will you think when they 'fin' that flaw in the company which has your credit card number ?
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Why does the media try to convince people that a "fast internet connection" is a limiting factor? It seems to me that many of the people who are script kiddies, or l33 d00z, or whatever, are people have some form of broadband. That's like saying "well cars are only dangerous if you drive a Porsche."
I will probably take a huge beating for saying this, but here it is. Although Microsoft has a long way to go in dealing with security issues, they are lightyears ahead of where they were only a few months ago. New tools to scan all the servers in the domain for patch levels of various vulnerabilities, fairly quick response time to notifications of vulnerabilities and no more "that's only a theoretical vulnerability" attitude.
I am subscribed to their security notifications and there is an honest effort on their part to fix the problems. More shocking is the recognition they are giving to groups that expose these vulnerabilities - a 180 turn around how they used to desparage those who uncovered such problems.
Sig under construction since 1998.
I don't mean to be a stick in the mud but this information clearly lays out how to hack into a privately owned computer system. This is illegal in most countries and as such whilst Slashdot don't censor their posters (free speech is something i'm all for) allowing this to be moderated up shows the sort of people that this site is being controlled by - and a smart lawyer could argue that the promotion of this item constitues the marketing and or distribution of this illegal material thus making slashdot and its owners accesories after the fact to a crime (yes hacking is a criminal offence with jail terms)
Just a point - now if you guys have a brain you will mod this back down or remove it - i think its an interstin post but i would encourage the users NOT to post full exploits but a link to a page (use geotcities or someone similar) off site - as you cannot be held responsible for it (pretty disclaimers aside you are legally responsible for the content here - its just that no one has decided to pursue it yet)
YES I AM A LAWYER
Thanks to Hotmail there are going to be a number of people out there now using my name to get valuable college degrees over the `net.
Hopefully they'll be good sports and also get me a lower interest rate on my home.
And let's not forget...I send you this e-mail in order to have your advice. I have a hard enough time reading my e-mail. Good luck to all the crackers out there who want to read my e-mail. I even got spammed the other day by someone selling orthopedic in-soles for people with a "leg lenght discrepancy" now that is something I'm looking forward to more in the future, Niche Spam.
so how long until slashdot gets one of these or worse, this?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
how is simple information illegal
I dunno.. but it is. I keep asking myself the same question.
"A mind is a terrible thing to taste."
What you seem to be saying is that if the people hadn't reported it / found it, there would be no problem. This seems to imply you think they are the only ones capable of finding this particular hole.
So if I see a dangerous condition -- say, a truck moving down the highway with a flat tire falling to pieces, or a leaking gasoline tank, or a fallen power line, or a boat coming unmoored, or a building with loose masonry, or a bad pothole, any number of things -- if I see any of these, rather than warn the public of the danger, better I should leave a note for the owner, who may be off on vacation and won't respond for several weeks? Am I supposed to be so worried that some lunatic might throw a match into the leaking gasoline that I say nothing at all?
I think you need to bury your head in the sand a bit deeper, instead of surfacing now and then to say such silly things.
Infuriate left and right
1. Log into hotmail normally.
2. Type in this link:
http://pv2fd.pav2.hotmail.msn.com/default.ida?XX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858
8 %u cbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685
1b%u53ff%u0078%u0000%u00=a HTTP/1.0
Yes, perhaps one unfortunate day it will be illegal to explain security vulnerabilities in depth, but until then there's little wrong in supporting open disclosure. Security through obscurity doesn't work.
Accessories to a crime by having this post on Slashdot? Yep, you Must be a lawyer if you can come up with and rationalize arguments like that.
It's encrypted (with end-to-end encryption between HushMail users -- email sent to non-Hush accounts are only sent to Hush's servers unencryped), it's more secure. I'm not a Hush representative, but after using it for a few months, it's definitely the answer. (The question being, what's the best free email service?)
J
The parent message is just a rip-off of the article on The Register.
Nobox: Only simple products.
"(pretty disclaimers aside you are legally responsible for the content here - its just that no one has decided to pursue it yet)"
This suit is the closest I've managed to dig up so far, but between Communications Privacy Decency Act (or somesuch) and DMCA, along with a prevailing broad interpretation of "service provider", most message boards such as AOL, etc., have been found to have no liability for what goes on. If that weren't the case, ezboards would've been toast a long time ago, and AOL would be fighting dozens of lawsuits a month. Do you have any examples of case law to back up your statement?
I know that /. will probably get a nasty email asking them to remove this post, but I just feel the need to post this bit of information:
NOTE: By following these directions you will be breaking the law.
while (in_car(use *right_foot))\
push(($pedal) to go [@REALLY_FAST]);
I have had this information in my head for years, but felt it was time to inform the rest of you how to do it. Now I know I will be pursued by lawyers attempting to utilize the DMCA against me for revealing this information that the vehicle manufacturers did not want you to know... such is the life of a hacker...
AOL: You've got mail!
Hotmail: You've got someone else's mail!
But then, MS keeps messing with things.
maybe that's what they are doing. Not so much fixing bugs, but practicing security by randoming shifting the bugs around.
Sorta like Whack-a Mole
;-)
- - -
Radio Free Nation
is a news site based on Slash Code
"If You have a Story, We have a Soap Box"
- - -
"It is a greater offense to steal men's labor, than their clothes"
How about the part of thelaw that says that parody, satire and caricature is free speech. Clearly the layout of this exploit is a satire along the lines of: How A Three Year Old Can Break Into Fort Knox And Get Away With Half A Trillion Dollars Without Even Trying Very Hard.
We await your lawyerly opinion.
You may be a lawyer, but it appears you are wrong about the link part. 2600 and many others were taken to court and lost, by posting links to DeCSS code, something that is quite outrageous, but it flew in court.
-- Another senseless waste of fine bytes.
You know the kind of letters people write:
"Dear Somebody-you-never-heard-of,
How are you? I am fine. Blah-blah-blah, blah-blah, blah-blah.
Yours Truly,
Some Bozo."
Big deal.
--Homer Simpson
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I've authenticated with a username and password, yet the username is also being passed in the GET string? And no check is being done to compare the username in the GET string is the same as the username associated with my session ID? Why is doing that simple comparison so hard? It would certainly "raise the bar" even higher on the "infeasible computational" chances of this happening.
This is similar to the Ameritech ebill security hole: no checking of user authentication - just GET any billing information with a *SEQUENTIAL* session ID in the GET string.
If this is an example of the authentication they've planned for Hailstorm services, I think many more people may have second thoughts about quick adoption.
creation science book
yes hacking is a criminal offence with jail terms
in fact, it is not a criminal offence.
I have legally hacked many systems. Now it may be a law to enter a system without permission, but thats not the same thing. There's also the arguement that a hotmail user does have a legal right to be on that system, so what it come down to is this "is it criminal to break a contract with a private company?" no, but you may be liable on a civil 'level'.
The Kruger Dunning explains most post on
But to me, the most astounding betrayal of computer security ever was Microsoft's conduct during the last Hotmail breach. Not that it happened (could happen to anyone) or even that they didn't pull the plug days until days after the exploit was made public but that they kept going for hours after everyone had the URL for the backdoor.
There was a great Salon article by a woman who heard about the breach on CNN, found the URL here and read her ex's new girlfriend's mail. I love the conclusion:
Late Monday, Microsoft continued to downplay the Hotmail hack in a statement published by Reuters: "We're hoping that because we jumped on it so quickly no one was affected."
Fat chance.
I wonder if this time will be different...
Is it really 'hacking'? Hacking may be broadly defined, but it USUALLY implies willfully circumventing security measures. If Microsoft is NOT verifying any information in the GET string (comparing USERNAME against my session IDs username), I'd argue back they aren't implementing security - certainly not REASONABLE security.
creation science book
No, your not a lawyer, your an anonymous coward!
My guess is you are a karma whore, nothing more. Now I may be wrong, you might be the actual author. In this case, let us know.
Research by wAwAsAn4
wAwAsAn4@root-core.com
Web: www.root-core.com
Email: [Digital-Vortex]@securityfocus.com
Voila.
Looking for a great online backup: Green Backup
1 53nd y0u th15 m41l 1n 0rd3r t0 0wn y0ur h0m41il
:-)
4cc0unt!
(I just could'n resist
Make It Secret . Free JavaScript implementation of AES for your browser
That MSN story you linked to is very informative, probably the best description of Hotmail I've ever seen :)
His girlfriend knows all his information, like zip code and location, so she clicks on forgot my password. Having passed that, his security question was: "What's my sister's name?" That wasn't too hard.
Needless to say, once she got in and had a look at his e lover's correspondence, the four year relationship ended quickly.
** http://www.nkhumanrights.or.kr/ ** Human rights in North Korea. 1 million estimated dead from starvation.
A smart lawyer, of which I could be one, would quickly dispatch the "promoting a felony" argument by pointing out that none of the promoting was done by the hypothetical defendants in this matter. Any promoting or highlighting of the "offensive" subject matter, like the posting itself as a matter of fact, was done by pseudo-anonymous members of the community at large.
It could be argued, I suppose, that Slashdot.org has created a forum that fosters or even encourages(?) such offenses, but that argument has fallen flat in a number of cases already decided.
Precedent being what it is I don't think Taco and friends should be speed-dialing Johnnie Cochran just yet.
-Coach-
Speaking of pretty disclaimers...I am not your lawyer and this is not legal advice, merely my educated opinion. If you wish legal advice seek out an attorney licensed to practice the kind of law you need in your area and pay them for it.
Perhaps the world's greatest tragedy is that ignorance is not impotence.
I'd be more worried that the person was clear sure if their friend was a boy or a girl.
...j
No, It's not news. It's entertainment. What can we do but be entertained by occasional bouts of profound incompetence...
--Got Lists? | Top 95 Star Wars Line
Actually this ruling does not apply to slashdot (it hasnt been tested) the ruling covers communications carriers who cannot be held responsible for the information carried on their medium - be it phone etc - AOL is an ISP and as such fall under this defenition - this ruling protects ISP's from being held responsible for the actions of their users - its a valid and important point - Slashdot can claim protection under this status but it would have to be proven in a court of law - the proscution would attempt to prove that slashdot knowingly allows the information on this and other examples to be posted (disclaimer aside) and this forum is often host to people who advocate hacking and mail bombming and DOS etc as action against companies and individuals - the user posted this under a username as ws his right - but /. cannot claim he is an anymous user and unable to be blocked etc.
/. as a common carrier.
note im not commenting on the right or wrong of it - i agree the post may be foolish but thats not my opinion to state - i just disagree with the statement that this ruling covers
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Gotta love the "experts" that TechTV talks to... From the article: In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said.
Uh, yeah, more like "intruders would first need to log in to a new, free, anonymous Hotmail account". Not much of a deterrent!
... or two.
1. The person cracking/social-engineering into your e-mail account will more than likely be somebody who you already know. So don't use widely-known personal info as a password reminder!
2. If you cheat on your S.O., you WILL get caught. This is especially true if you're a man or a lesbian - women seem to be natural Sherlock Holmeses. And yes, "e-lovers" count as cheating.
Freedom: "I won't!"
Okay. If this isn't a hoax, then why hasn't anyone posted the contents of billgates@hotmail.com yet?
--Blair
But when you start to consider that the super-duper-top-secret algorithm for encoding message numbers constitutes "encryption" according to some, then it's protected under the DMCA.
You have just published a "Circumvention Algorithm."
Shame on you. No doubt the FBI is on their way to your house to slap you on the wrists with wet noodles. Oops, I mean slap you in irons. The wet noodles are for Microsoft under the new Punitive Actions for the antitrust suit.
The living have better things to do than to continue hating the dead.
you can download the hobo4 program, written by the folks at Root Core to automate this vulnerability here. Warning about the code however:
a) it's in VB
b) you'll see methods like this:
Public Sub ii(MSG As String)
l_info.Caption = ">" & MSG
End Sub
are there no coding standards even among hacks?
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
That's okay.
Microsoft's hotmail operation is in flagrant violation of the opt-out provisions of existing privacy laws.
Microsoft sends email to users' inboxes by going around the entire email system, circumventing all attempts to opt out, block, or filter the spam. These emails come from "staff@hotmail.com" and are clearly not normal messages, because they have to power to disable the Reply buttons.
When told they are breaking the law, Microsoft sends back boilerplate that alternately denies the spam is from Microsoft or gives the instructions for the aforementioned nonworking methods of blocking spam.
--Blair
P.S. As it turns out, their monthly spam-o-gram came very shortly after I opened my first--and only--hotmail account, so just about all of the correspondence that has ever transited that account has been my complaints, their responses, and more spam from them. I think the balance is one or two non-microsoft spams and one email from a guy who runs an anti-spam website to whom I'd mailed the long transcript of nonsense that had occurred.
In what twisted universe is "This is almost certainly illegal, idiots." (to paraphrase) construed as legal advice?
If a tree falls on an anonymous coward yelling 'first post' in the forest, does anybody hear?
> and a smart lawyer could argue that the promotion of this item constitues the marketing and or distribution of this illegal material thus making slashdot and its owners accesories after the fact to a crime (yes hacking is a criminal offence with jail terms)
:)
:)
That's playing with words, a smart lawyer could argue.. since you're arguing you consider youself smart?
Okay, go sue everyone that has moderation rights here, even those who have it tagged on and don't even know exactly what it is because they barely started reading slashdot, and while at it, sue the school/isp/company on which the computer used to commit such a moderation was hooked, and since we're in the complete nonsence and you obviously don't get what moderation is for, why not sue the company that made the keyboard and mouse with which the CRIMINAL act was commited.
Oh shit, wait! you're probably about to sue microsoft...
>YES I AM A LAWYER
Yeah, and your caps lock is on too.
----
Disclaimer
These comments aren't my own, I was playing quake and got owned.
--- Metamoderating abusive downgraders since my 300th post.
Does anyone else think that "crackers can read your email" is something Chef from South Park would say?
CHEF: Now, children, don't leave your computer on when you're not around! Crazy crackers can read your email!
STAN: Holy crap!
CARTMAN: You guys are so lame.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
My god that's totally hilarious. someone please mod this guy up :)
EOM
Perhaps your middle school doesn't have email accounts and you have to use Hotmail, but the mere fact that you have a Hotmail account- which, apparently, you use at least for unimportant stuff- means Microsoft has one more user to brag about to advertisers. Obviously it isn't such a big piece of shit, or you'd use Yahoo! or some other free webmail service.
If you're really concerned about Microsoft's lack of security and quality control, don't buy their software or use their services. And it's the problem of millions of users like you who use Hotmail, many of whom either don't have much of a choice for email accounts or were using it before MS took over. Lastly, exploiting the flaw won't make them fix it any faster than they are right now. It'll just get criminal charges pressed against a few script kiddies, and rightly so.
Personally, I think anything beyond Pine is overkill. Not everyone is lucky enough to have email accounts on Unix servers, though. Passport sounds like an absurdly awful idea, but I don't think anyone could do it right. I'm worried about Microsoft taking over the Internet, but I don't think they'd necessarily do a worse job on Passport than, say, Sun. There's not a lot of practical work done so far involving such massive systems, and I don't think they've thought it through very clearly beyond the marketing department.
Its already all over the web. I read it at The Register hours ago.
Good point on that - but the laws on computer crime are different arent they ?
Still you might be right - but would this not depend on the jurisdiction ? - if the case was in the New York Courts but Slashdot is based in say California it might not neccesarily be precedent setting as its not a federal case ? I dont know as i am not a lawyer but it would be interesting to know as this is a valid question
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Actually i have had hotmail accounts for years and have also had accounts on other providers of free mail services.
Yahoo was spam city - it may not be hackable but christ did i get spammed - and emails from yahoo 'affiliates' were a constant problem - even though i asked them not too
RocketMail - not bad - but now gone
Altavista - More porn spam than you can poke a stick at and mesaages from them every day
Thats a fee examples
Hotmail used to be bad - but over the last 8 months with the account i have i average 1 spam a week (those dammned college degree ones) and 1 message a month from hotmal staff - i get little other spam and the filters work - its also fress so who cares about 1 little message - and the address is a non reply - i have them here on my system for helpdesk and notification purposes - its not 'power' it's a standard thing.
Do you use hotmail daily these days ? (just wondering not flamebaiting)
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
How would SSL help?
Lawyer or no, you should understand that consumers' rights supercede a business' rights, and when a problem like this is ignored for "3 days" I hope the exploit is on the evening news until it's fixed. The only possible defense I can see for hotmail is to say that they provide a free service; but they provide a service where people pay with their personal information, which is sold to advertisers. Given that you are a lawyer, you should be looking to change things like this for the better instead of demonizing the spread of information. I might've been able to sympathize if you had at least insulted the people in other posts who actually claimed to be doing the cracking.
All you can do is read other people's spam.
Help save the critically endangered Blue Iguana
If you want my hotmail password that bad, just ask. I'll send it to you and save you the trouble.
Donate background CPU time to fight cancer.
Just read this l33t article on "How To Become a Hacker", and you'll be hacking into people's mail before you know it!
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
Experts? Experts who think you need real-world authentication to log into hotmail?
I'll just leave my door unlocked because it's not a problem unless I'm specifically targeted.
Anyway, if you're going to write a web page that cites other web pages, please put in a link. The anonymous authors of this page ("Tech Live staff") neglected
to link to Root-Core, which seems to be the focus of the story, although they linked to Sophos, which was tangential.
And this was on Bugtraq on Saturday.
Not disagreeing with you, but that post seemed to be a paste from a message on Bugtraq on Saturday. Bugtraq always has full disclosure exploits. Why hasn't this legal theory been applied to Bugtraq yet, as they are quite high profile?
So what MS product got hacked again?
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Now someone's going to get into my hotmail spam account and be able to read all my spam. What to do?
I mean, really, does anyone use hotmail for anything other than a spam repository?
Just give up. Seriously. You tried you failed repeatedly you continue to suck. You are the IUD of the internet. Utterly incabable of taking care of yourself and completely unloved. Just kill yourself and go away.
I'm all for a security hole in Hotmail if I can get the crackers to somehow delete the 100 pieces of spam I get to that account everyday.
--It's Pimptastic!--
Dude, you're allowed to walk down the street for free, I can't believe you'd bitch about the cops pushing flyers in your pockets and searching you for doobs on every corner.
The account isn't free. It's got banner ads all over it. That's my eyeball time purchased by Microsoft's sponsors. And they count the page hits for their own advertising. That's the price paid for my account. I also to spend my valuable time observing, and in some cases stopping GIF animations and Flash4 loops on, those ads. But I have the legal right to stop them from mixing their spam with my email.
Microsoft is breaking the law. They offered a box to check to opt out of spam from all sources, and I checked it. They know the law. They choose to flout it, going so far as to design software to get around all attempts to block their spam, and to train customer-support personnel in evading the issue and delaying its resolution. My indignation is completely justified.
It's not any less a crime just because some people think it's okay to be victimized. I expect people to disagree with that. I expect people to vote against it. I expect some people still to elect fascists and communists into power in their countries. No issue is 100%.
Microsoft is committing this crime against millions of us, when all they have to do is pay attention to that checkbox and they won't be committing that crime against any of us. What's so hard about that?
--Blair