Slashdot Mirror
Passport's Pocket Picked
emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?
and get a Passport. I was about to buckle under the pressure...
...this is just the beginning.
To correct serious security flaws, Microsoft on Friday disabled the virtual wallet function of its Passport service and has begun notifying partners about the vulnerabilities, the company has confirmed.
.NET e-commerce service initiative.
.NET Passport wallet."
The bugs in Passport, a sign-on service used by more than 165 million people, were discovered this week by Marc Slemko, a software developer who lives near Microsoft's Redmond, Washington, headquarters. Slemko is a founding member of the Apache Software Foundation.
By cobbling together a handful of browser-based bugs with flaws in Passport's authentication system, Slemko developed a technique to steal a person's Microsoft Passport, credit card numbers -- and all, simply by getting the victim to open a Hotmail message.
The attack raises new questions about the inherent security of Passport, which is being positioned by Microsoft as the lynch pin of its
In a demonstration of the exploit earlier this week, Slemko sent Wired News a specially crafted but innocent-looking e-mail. Moments after the e-mail was viewed using Microsoft's Hotmail Web-based e-mail service, Slemko rattled off, over the phone, the credit card number and contact information from the user's Passport wallet.
According to a notice at the service's site, the Passport wallet enables users to store credit card and address information "in a secure, online location. Only you have access to the information in your
Introduced in 1999, Passport is what Microsoft calls a "platform service" and is being pitched to merchants and other partners as a convenient and secure means of determining whether site users are who they claim to be.
Besides enabling Web surfers to access Hotmail and several other secure sites with a single log-in, Passport includes a wallet system that speeds shoppers' checkout at dozens of sites that deploy the Passport Express Purchase technology.
In an e-mail today to Slemko, Passport's lead program manager for security and authentication, Chris Peterson, said the wallet service will remain offline until the company can add additional security features "to ensure that similar exploits cannot be used to compromise our user's credit card information."
Microsoft's Hotmail is the largest service currently utilizing the Passport authentication system, but the technology has also been deployed by eBay to allow users of the online auction service to sign into their accounts.
In addition, Microsoft's MoneyCentral personal finance site relies on Passport's sign-on technology.
Prior to being fixed by Microsoft, the authentication flaws discovered by Slemko could enabled an attacker "to do anything as if they were the Passport holder," including editing the user's portfolio at MoneyCentral, or changing user's auctions at eBay, he said.
More than 70 sites are in the process of deploying Passport's authentication technology, according to Microsoft. Among them is Prudential Banking's Egg.com online bank, which is switching to Passport from an authentication system developed by Entrust Inc., according to published reports.
Besides posting it at his site, Slemko intends to release the technical details on several security mailing lists Friday "so that, if they choose, users and partners can choose to reduce the impact on themselves," he said. Because of the severity of the flaws, Slemko withheld publication until Microsoft had an opportunity to correct it.
According to Microsoft, the company has patched two bugs utilized by Slemko's exploit: an HTML filtering issue in Hotmail as well as a cross-site scripting flaw in its Passport server configurations. In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.
While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.
"Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.
Slemko is not the first to reach this conclusion. Last year, researchers at AT&T published a paper that observed that Microsoft's single sign-on service "carries significant risks to users" and warned that "Passport must be viewed with suspicion."
Microsoft subsequently fixed the bugs identified in the AT&T report and issued a response, down-playing the researchers' conclusion that Passport is inherently flawed and promising new security features in the future.
One fruit of that promise is in Microsoft's recently released Windows XP operating system, which attempts to improve the security of Passport's sign-on system by moving the authentication out of the browser and embedding it into the operating system.
Microsoft has also adopted what it calls a "federation" model for Passport that will allow other authentication vendors to create systems that interoperate with Microsoft's platform.
But critics still contend that granting Microsoft control over a massive set of personal data creates intolerable security risks.
"If history has shown us anything, it's that the best protection lies in decentralizing power and promoting competition. We need to take the same approach to our digital identities and make sure that who and what we are is not held captive by a single entity," wrote Whitfield Diffie, one of the inventors of public-key cryptography, and Susan Landau, a senior staff engineer at Sun Microsystems, in an editorial published last week.
According to Slemko, the fact that he needed just half an hour to cook up a way to exploit Passport's security flaws indicates that Microsoft is not fit to run a service with Passport's ambitions.
"It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he said.
Ah, the last peanut -- overflowing with the oil and salt of its departed brothers. -Homer
You through a smoke screen around the area until you can fabricate some new ones. Not to be a troll or anything, but this was only a matter of time.
Maskirovka
What happens when someone steals the basket with all your eggs?
You have nothing left for trick-or-treating with.
great... the single greatest magnet for spam is also an open book to your credit cards. I can see it now: "Hot dirty sex... you've paid for it already, so you might as well cum see!"
"You've already paid the fee to get in on our bogus pyramid scheme, so now it's YOUR turn to go steal from someone else!"
Inconceivable!
I guess we shouldn't have used Microsoft Condom...
:q!
> In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.
:)
will be
> In addition, the company has modified a software timer so that Passport users must re-enter all the information associated with their passport account (including their Wallet account) anytime they attempt to access the wallet service.
Which might be shortly followed by the first time MS has ever been able to claim their technologies are relatively secure. (Yes, I'll avoid being a jerk and suggesting anyone can ever be 100% secure.
"Old man yells at systemd"
If this is Microsoft's unviersal security solution, I can';t believe they'd put out something that can be so easily cracked without knowing it.
Is it concievable that M$FT is deliberately designing holes, staging exploits and publicizing them in order to get popular support for federally controlled security systems and universal elimination of anonymity?
The anthrax could be the same thing.. government allowing it to spread, or spreading it themselves, to pressure Congress to pass the USA PATRIOT act, which they did, and to pressure us to accept strictures on our behavior?
In both cases, ask: Quo bono? In the current climate, who benefits from these activities?
Terrorists don't benefit from the anthrax, and OSS doesn't benefit from these Passport exploits. In both cases, the government benefits.
Goat sex free since 2001
I remember a year or two ago a person could send you an email and obtain your hotmail account. Hotmail is a gaping hole in the passport service.
With passport, microsoft wishes to be the customs agent of the internet. However, with flaws like this they really are not going to turn many people over to their side.
I'm sure more exploits will pop up in the future. Most of them will likely use hotmail in someway or another to enter.
ok, obviously my post will be rejected as this one already made it through (they rejected Marc's initial story which I guess shouldn't surprise me), but here's more linkage about where you can read about the technical details:
Marc's Passport Advisory
What happens when someone steals the basket with all your eggs?
Send special forces to kill the bunny. And cluster bombs, lots of fucking cluster bombs
Hammer of Truth
You sue them under the DMCA, future SSSCA, Anti-Terrorism Act, or the like.
A testimony to the proposition that security CAN be legislated.
(Yeah, right.)
The living have better things to do than to continue hating the dead.
Anyone remember the story with MS whining about how security people should just shut their cake-hole and not "reveal" exploits? I wonder if they'll take the same stance on this one.
"Well, it wouldn't have been too much of a problem until those meddling kids at Apache showed up..."
If you were me, you'd be good lookin'. - six string samurai
I really like this part:
In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.
While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.
"Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.
Why? I installed XP for my dad, everything works perfectly. The OS is great. I got tired of passport starting up, so I clicked on it, cancled a few prompts, went to settings, check 'do not start up on boot', and closed the program. IT STILL STARTS UP ON BOOT. My point is that MSFT has made it very difficult to stop the damn thing from starting. Screw Passport.
Life is like pants... fit in or you don't fit in.
I sure hope this don't stay on slashdot. It should really be public knowledge that this sort of thing can happen in the passport service that MS provide. - ASAP
- To understand recursion, we must first understand recursion -
Where did your wallet go today?
-Zane
This sig is worse than my last.
Time for me to be a bit fece^H^H^H^Hfacetious. Microsoft is an Evil Empire(TM). Their products are the joint effort of thousands of easily brain-washed students fresh out of college who decided, at the last minute, to major in computer science rather than business.
If you celebrate Xmas, befriend me (538
This is but one example, but. . .how many user names/pass do you think can be garnered through a simple brute force script? A third? My father does a good number of things through Sun. Check out their auth. It relies more on SAW encrypt, which in turn in certainly more solid. And yes, I have your hotmail account. . .
MS seems to have Single Point of Failure problems in a lot of things: the Registry, any one?
It doesn't mean much now, it's built for the future.
Yeah so the chance that I'll ever give microsoft an important piece of information: 0. I can't wait to see how they spin this.
Quoting a gem from the article:
"More than 70 sites are in the process of deploying Passport's authentication technology, according to Microsoft. Among them is Prudential Banking's Egg.com online bank, which is switching to Passport..."
Egg.com sounds kind of ironic. Must be quite a marketing effort on Microsoft's behalf getting banks to deploy not tested technology on a mass scale.
Who'd like to file suit with the FTC against Microsoft for false advertising? I think we all know that there is no such thing as absolute sceiruty, or that security is a process, not a result, etc etc. But does the average non-geek American know that? For that matter, does the marketing deparment at Microsoft know that?
You can't market a product as having qualities it doesn't have without getting into trouble with the FTC. Granted, MS will try to spin this as "Those bad Linux hackers will steal your data!" The fact remains that they've lied to the American consumer. I think they need to be forced to amend their advertising.
Sad isn't it, here is the VERY thing all those "privacy people" keep screaming about. The thing that MS says won't happen. The idea should chill us all to the core, after all with XP released it's just a matter of time before a magority of american's will have a "passport". Will it be reported by any big news organizations? Will it make front page (it should).
In the end I guess I best move to the bahamas and start ordering lots of neat things with all these new credit card numbers that magically appeared in my hotmail account.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Microsoft .Net and Passport to blame!
...
Bill Gates identified as culprit: "We of the Taliban shall never be defeated!" shouts the software terrorist as he is hauled off to a comfy cell.
More news as this story breaks
--- Will in Seattle - What are you doing to fight the War?
Interestingly, this is exactly what will happen.
Only the discoverer of the hole will be forced to announce it anonymously, and publish it only in dark little places where the lawyerly eyes of Microsoft won't find it. And unscrupulous eyes will.
I can see it happening already. And Microsoft would not even hear of the hole until it's far, far too late. It will be a very, very dark day if information is compromised on this scale.
The DMCA in this case would directly contribute to the destruction of the integrity of the Passport system.
Simply put - if only outlaws find security holes, then only (genuine) outlaws will have access to them.
Yes folks, I'm tired. Getting modded up at 50 and getting nothing from it is such a bore. Bouncing around in the high 40s just isn't worth it anymore. In fact, you might even say I'M AS MAD AS HELL AND I'M NOT GOING TO TAKE IT ANYMORE.
/., so "Bill Gates is evil" is the moral.
That's why I'm going to blow my Karma brains out, right here on national TV, err... um... international web... err.. whatever. You get the idea.
Heck, I might even go for negative karma. I mean, VA Linux, err... um... VA Software or VA Chicken Processing or whatever business they are in this week is going to fold soon anyway. What difference does it really make? So go ahead mods, do your worst.
===========
While I'm waiting for the form submission timeout, let me tell you a little fable. Once upon a time a man heard that there was gold in seawater, but no economical way to extract it. So, he studied chemistry for years, earned a PhD and worked secretly on it in his spare time, neglecting everything including marriage, parties, and anything remotely resembling fun. One night he went out in a boat to test it. Because he forgot to move a decimal point, he didn't realize how fast it would work. He went to sleep, and overnight the electrode got so heavy that the boat sank with him, his idea, and his pathetic life on board.
The moral of the story? Well, this is
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Maybe I'm being stupid here, but what's the diff between Passport and PayPal, and why hasn't PayPal been a crack target?
Also, I had no idea 165 MILLION people were already using Passport - I suppose my OS hasn't asked me enough times to sign up for it until I break under the strain...
"Look, Smithers! I'm Davy Crockett!"
It's an adequacy.org troll, written to capitalize on people's paranoia. Mod down.
I know most readers here aren't using hotmail but the article also mentions that the technology has also been deployed [Microsoft Press Release] on Ebay. Thought you might want to know!
-- Find the Truth...
I haven't read the pasport user's agreement, but would I be incorrect in guessing that Microsoft takes no responsibility for the safety of one's personal data? We're sorry we ruined your life, but if you read the fine print you will see that we are not responsible for anything. When will Microsoft be held responsible for it's actions?
"To those who are overly cautious, everything is impossible. "
This shows that your private information may not be in the best hands when entrusted to a company
like Microsoft. But there are other 'takers'. Some even with the best of intentions.
If any of them ever gets to be the one and only 'central repository', they will be subject to just this kind of attack as well. If you can't compromise the service, then hack into the user's desktop. As soon as enough people use it, it becomes a very attractive target. In a similar vein, there have been viruses that target the client end of home-banking software.
Security is enhanced by redundancy, by having several distinct systems in place, preferably as dissimilar as possible. Monoculture and monopolies always form a fertile environment for viruses and other pests.
I feel this makes the whole idea of a centralized service like Passport or any of it's competitors an extremely dangerous development.
I never (knowingly) allow any site to keep my CCnumber and why I always use a "temporary" CC number (for example Amex Private Payments).
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Faster than the speeding light she's browsing,
Trying to remember where her wallet ran,
She's lost herself that Ebay afgan,
Waiting for the time when MS shall be as one
And I feel like I just got robbed
And I feel...
(all apologies to Madonna)
While I make this point in my paper, I just wanted to make sure people understood:
The real risk here isn't to hotmail or passport wallet (passport wallet isn't really an integral part of passport, just another service using it for authentication). It is to all things using passport. That isn't so much right now. But if Microsoft has their way, it will be. The sample exploit used Hotmail and Passport Wallet simply because they are commonly used services.
I would also like to note that Microsoft has been quite forthcoming with details and admitting the problems and fixing them. They are very good at being reactive. We will have to see how well this works going forward.
I'm gonna go for all of the above
Bobuhabu
Sad. Has ANYONE at Microsoft considered the odds they're up against?
The Redmond squad: A handful of programmers forced to work with an operating system that was never designed for security in the first place.
The other guys: A WORLD full of bored and tech-savvy geeks, most of whom have grown up with a nice, healthy contempt for anything Microsoft.
Guess who wins?
-- Nick
eXport Privacy
"Well you see your honor, when all those free credit card numbers appeared in my e-mail, I just assumed that they were free trial numbers like the mail said. I just KNEW that they couldn't have been ripped off from peoples' passport accounts, because Microsoft swore to me on their holy closed source code that it was -impossible-! How was I too know ordering all that expensive stuff right away wouldn't be ok..."
It's a feature. You know that the majority of people who get a passport account only use if to sign up for pr0n sites anyway...
This just cuts out the middleman
Comment from Passport's program manager:
the wallet service will remain offline until the company can add additional security features "to ensure that similar exploits cannot be used to compromise our user's credit card information."
What's the standard for this? Based on Microsoft's track record, a new exploit will come up regardless of how many patches are issued. No way I'm going to let them keep my personal data. Too bad the average consumer may not realize this.
While we espouse our need to breakup Microsoft we have overlooked our great need to sue for negligence and false advertising. Their products do not perform safely nor with the diligence we as consumers need. This is another case of a lack of thought and concern put into a consumer product. If Passport were a vehicle or food product, the manufacturer would have been sued for negligence.
Of course we torture people, we need the information --Gen. Pinochet
You MUST be in the wrong place....Please get with the program....If you don't have anything BAD to say about M$ please remain quiet. :)
If my parents got thier CC# stolen from passport and some guy bought a thousand dollars in hot grits, they would dispute the charges. No biggie. If I was VISA on the other hand, I might have a different perspective.
People seem to be blowing this out of proportion, IMHO.
How often do you hand your credit card to a server at a restauraunt? A store? Over the phone to pay for something? Are you forgetting that your credit card number can easily be stolen that way? Most receipts from purchases have your credit card number on them. Do you shred / burn them to stop someone from getting your CC #?
Are you crazy? Does here actually have a hotmail account? All I get is spam... there no possible way I'd EVER open a message in my hotmail.
Looks like I have no worries on this one...
What happens when someone steals the basket with all your eggs?
All your egg are belong to someone!
"Slemko is a founding member of the Apache Software Foundation"
Too bad he can't spend his time fixing the Windows version of Apache.
I wonder why no one ever tries to sue Microsoft for creating a defective product. I mean, they sue Firestone for bad tires and Ford for top-heavy SUVs. What is the difference... well obviously, no one dies here but still.
I can't beleive this actually happened. I mean, their entire .NET initiative is riding on this passport business and showing they can secure your information.
What folks need to do is hold off on publishing these exploits (as Microsoft requests) until they've got a lot more riding on it. When a couple of banks lose a couple of million bucks on this, not to mention the confidence of their customers, well, then you might get some real coverage.
Remember, Microsoft wants to build houses of straw, and likes to call anyone who points out they are made of straw terrorists. Of course, as soon as I see that attitude from someone I'm supposed to trust I run as far and as fast as I can just as I'd run from a used car salesmen who wouldn't let my mechanic check out the car.
Now that was a completely obvious troll.
I'm not surprised it came from Adequacy.
You will be assimilated. Resistance is fut- HEY! Who took my wallet?
Doesn't anyone remember how naughty it is to be reporting all these bugs! Be sensible and sweep them under the rug.
A feeling of having made the same mistake before: Deja Foobar
Perhaps one should fill their basket with rotten eggs. Such as creating false and very tracable credit card #'s that in every way look real. Set a few of these rotten egg baskets about and let the bad people have at them.
Or, I suppose you could fix the software. But that's no fun.
managers...why god invented purgatory
I wish they were more proactive!
What happens when someone steals the basket with all your eggs?
Eggs? What you talkin' all about eggs for? Don't give me none of that Gibber-Jabber, or you best be tossed!
You took a wallet? I don't see no crazy wallet! You're talking like Face, crazy fool!
Besides, you don't need no wallet! Just dial
1-800-COLLECT and save a buck or two.
XP? That better mean Xtra Punishment, cause that's what I'm gonna do to that Gates fool! He can't escape me, cause my van's hella fast!
Don't do drugs! Drink milk!
Come here, sucka. I'll toss you!
...for Linux, that is! We've had public key cryptography for a while, thanks to Dr. Diffie and friends, I wonder if it's time to prototype a real personal wallet framework around PK and get someone like Whitfield Diffie to push it as a privacy-friendly form of magic authentication. How about "if you don't have a PenguinCard we can't look you up in our Oracle database, so you can't get you on the plane".
davecb@spamcop.net
In fact, Microsoft was actively contacting reporters to let them know about the issue and try to put their spin on it even before I released my exploit.
A number of Microsoft employees also leaked it to their friends after I reported it to Microsoft, and it started spreading from there.
And even Microsoft's lawyers were in on the gig of making sure everyone knew about it.
But seriously... Microsoft has been, and almost always is, very good about timely responses to security reports. Their problem is in dealing with them without having to be told by some Joe User that they have problems.
And I feel,
like I just got robbed,
And I feel...
Is a single .sig service... No matter which service I am logged into (web, e-mail etc.) I get the same lists of .sigs
- Nothing but a 32 bit operating system, running on a 16 bit core, based on an older 8 bit operating system, run by a 4 bit company that can't stand 2 bits of competition
Thanx, assho^H^H^H^H^H fella! - "Press to Test" {CLICK} "Release to Detonate"
Think, write, think, edit, think...then post.
I suggest the following for the next poll:
Would you trust Microsoft Passport with your credit card details:
* yes
* no
* I'd give them Cowboy Neal's credit cards instead.
HH
Do you shred / burn them to stop someone from getting your CC #?
Actually, many people do just that.
That's not the major point, though. This "crack" will allow someone to, perhaps, manipulate your financial portfolio if it's set up through Passport. "What do you mean, I just bought 10,000 shares in Hot Girl Condos on margin?" Millions and billions of dollars there, at risk, if MS gets their way and that sort of thing is hooked through your Passport account.
If you're a zombie and you know it, bite your friend!
I attempted to post this a few times but it appears that today's moderators did not care very much. Microsoft has started actively putting preasure on security researchers to shut up about the details of security vulnerabilities in their products. The Register has more information.
Dell Computer: $1099 .NET services: $19.95/mo
:p
Microsoft Windows XP: $219
Compaq IPaq with Windows CE: $499
Subscription to
Microsoft Passport: Free*
Having your MasterCard(TM) info on the net for anyone to see:
Priceless.
(*note: This is a parody of the successful "Priceless" MasterCard(TM) advertising venture. As a parody it is protected under the 1st amendment established by MasterCard(TM) v. Nader)
People shape laws. Not the other way around.
shiiittt.
haha. ms you suck.
MARIJUANA, SHROOMS, X: ONLINE?! - E
Most receipts from purchases have your credit card number on them.
Do you shred / burn them to stop someone from getting your CC #?
yup, I burn 'em. Unless fire isn't available--then I eat 'em.
mmmm, thermal paper.
I always figured that a service like Passport, especially with microsoft's abysmal track record in security, would be a wholesale clearinghouse for identity theft.
You may as well put your personal information and credit card numbers ROT13'ed in your sig.
Passport was beginning...
[credit card bill arrives...]
Joe Consumer: What happen ??
Jane Consumer: Someone set up us the Passport !!
Joe Consumer: What you say ??
Jane Consumer: We get signal. Splash Screen turn brue !!
Joe Consumer: It's you !!
Cats: How are you suckers ? All your identity are belong to us !!
Joe Consumer: What you say ??
Cats: You have no chance to switch to secure o/s. Make your time !!
Joe Consumer: Take off every Microsoft o/s. Switch to cash purchase.
Jane Consumer: You know what you doing.
Joe Consumer: Take off every registry key. For great security.
Microsoft®: Undermining consumer confidence since 1981. Wait until we design your voting machines....[diabolical laughter]...
Passport already has more than 200 million folks signed up? That seems huge.
I wonder how long it will be before Microsoft claims it is a victim of cyberterrorism, get's money off of Bush's bill, then has everyone that finds an exploit in their software thrown in jail for the rest of their life? Unlikely you say? With PATRIOT passed, I think there is a good possibility.
And even Microsoft's lawyers were in on the gig of making sure everyone knew about it.
..or does some "AS IS" clause in a license protect them... who ends up paying for the money stolen through the security hole?
Hey if someone's credit cards get stolen due to a security hole in passport and a whole bunch of money gets stolen... can Microsoft be sued by the person whose cards were stolen or by their bank or somebody?
What if MS knows about a security hole but they leave it running while the patch is being worked out, and my money gets stolen.. then are they liable?
It seems like Passport might open up MS to lots of litigation if some major heist happens..
There are 10 types of people in this world, those who can count in binary and those who can't.
The typical user does NOT get this information.
They are happily using their Hotmail accounts and have NO clue that these things exist. Sure, they might have it in PC World, or maybe the Technology section of the Times, but my MOTHER does not read these things. Only us geeks in the industry know ( we are a small percentage of the population).
Microsoft will fix this to appease the security experts, but that's about it.
As long as Joe Sixpack can stay happily ignorant, MS is happy. For example, one of my friends, a very intelligent Nuclear Physicist, just got suckered in to a CompUSA MegaPC w/ 1.2 GHZ, 1 GB RAM , DVD RAM and Windows XP for anout 5 Grand. He browses the web PERFECTLY fine on his 988 MHZ PC. He said the "pretty colors" of XP sold him. I told him of the security flaws and reasons for not going with XP (never mind the absolute non-necessity of the PC), and his response was "How come I haven't heard about these things you talk about?" I had no answer. That's how Microsoft stays in power. If we step outside the industry for a minute, we can see that Linux means nothing to most people, AOL IS the internet, and Windows IS a computer. How do we fix this? I don't know, but someone must.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
What happens when someone steals the basket with all your eggs?
Well, sure enough, that egg is going to end up on somebody's face.
What Would the Fab Five Do?
Microsoft proves again that we shouldn't be signing up for their passport even though it is "secure" and none of your information can be taken from it. Well, what just happened here? Microsoft?
A dishonest waiter can steal tens of credit card numbers.
With this, a dishonest cracker can steal tens of millions of credit card numbers.
"Don't do drugs!..."
actually, Mr. T is a big pot smoker now
once he started going through chemotherapy puking his guts out, a freind brought him some fine "marijuahoochie" as he calls it
it stoped him from puking violently from the chemo
since then he's been a pretty regular pot-smoker in his own words
The odd thing, however, is that these cookies that are set as a result of Passport authentication are, at times, unique to the browser window they were set in. If I open a new browser window, the cookies are not sent and I am not authenticated.
Think DRM tokens, e.g. pay per viewing instance.help me i've cloned myself and can't remember which one I am
Ask these guys
- Yes.
- Are you fucking nuts?!
- I'd give 'em John Katz's numbers instead.
- I'd give 'em the ip address of goatse.cx.
--Lady Xiombarg of Chaos
ut Microsoft
"These are very sophisticated exploits. This isn't just somebody downloading a script from a hacker site and running it," said Sohn, who reported the company has no evidence that anyone has taken advantage of the vulnerability.
With 2M wallets lying around, someone will put in the effort to create these "sophisticated" exploits. Indeed, someone already has...
www.dedserius.com
VB != VisualBasic
Have you ever actually read one of their EULA's?
take a look sometime... it basically says that you can't sue them for anything.
One fruit of that promise is in Microsoft's recently released Windows XP operating system, which attempts to improve the security of Passport's sign-on system by moving the authentication out of the browser and embedding it into the operating system. (page 2 of the article)
Oh, goody...we're going to move sensitive information out of a proven hackable browser and into a (not proven, but likely) hackable OS.
This is one of those cases of overextending oneself...I wouldn't trust my plumber to perform my quadruple bypass, either. Maybe it's time for MS to realize that specializing is NOT ALWAYS a bad thing.
Denver Isuzu Suzuki
This is defineatly the fault of security professionals not working at Microsoft, "They have alot of explaning to do for our sloppy products". Next Microsoft will point out that althougth they are extremely sorry for the loss of your entire equity holdings and position, you did agree to thier weasel clause upon installation of their software. That said Microsoft may give anyone who lost over 5,000 dollars U.S.(no,not Canadia, ruppees, ect...) a 10% discount torwards the purchase of XP.
I have been ranting to all of my clients and friends about this sort of problem ever since MS came up with the idea of passport.
Scenario:
2 years from now 150 million people actually have their personal details and credit card numbers stored with MS (this isn't so now, people have passport accounts by default due to hotmails reliance)
Another hack comes out and it is proven that the vast majority of credit card numbers for people were compromised.
Visa, Amex, Mastercard et al are forced to re-issue credit cards to all people using passport
The global economy is severely disrupted due to the downturn in online spending, the overall costs incurred by the replacement and the lack of consumer confidence in online shopping, banking etc
Microsoft point to the famous "we're not liable for jack shit" clause in the agreement
So what happens? Does MS still get sued? Do the credit card companies just sit back, hemorrhage and go "Oh well, shit happens."?
Most importantly, do consumers finally realise that they have been taken for a ride for the last 7 years and boycott?
This really scares me. Giving personal details to any company is bad. Giving them to a company with a severely impaired security record is just plain stupid.
For the life of me I couldn't find a way to delete my hotmail account, glad to hear it will be done for me.
"Eventually, they'll get around to releasing a decent product.".
Hey! They haven't succeeded in doing this yet! Or did you really like Microsoft Bob?
Am I the only one who thinks that crackers stealing your CC number is nowhere near as scary as microsoft having it? I mean, the passport EULA [still] says "we ownzorz everything that touches our servers". That would include your CC#, no?
You know, that number, 165 million, is a really interesting one.
First of all, get ten of your friends. Between all of you, you probably have close to 20 hotmail accounts. I personally have five, three of which I abandoned a long time ago. Each one of those accounts corresponds to a Passport user.
Now, imagine you're a marketing exec for Microsoft. You've got to go to vendors and get them on board with the whole Passport thing. You tell them how many users are there, with estimations about what sort of percentage you project to be spenders...
Except that 165 Million Passport Users != 165 Million People, so that means that every sales projection based off the original number is going to be an inflated estimation. Just because I have three hotmail accounts doesn't mean I have the spending power of three people...
I wonder if MS is trying to get vendors on board with a falsely inflated number?
"Interoperate", eh? Imagine that. It's the undocumented "Borg" mode that the rest of us are worried about.
Democracy. Whiskey. Sexy. Pick any two.
Excuse me, but doesn't anyone stupid enough to trust MICROSOFT with their CREDIT CARD NUMBER deserve anything they get?
According to the article, 200 million people use the passport service? Where can they possibly be getting figures that justify a statement like that?
Do 200 million people even use the web?
A online bank's opening has been marred by a glitch that let customers transfer money from any U.S. bank account.
This was a much larger problem than any problem with Passport ever could be -- you didn't have to use x.com to become a victim. Anyone with a U.S. bank account could be affected. But Paypal has become extremely popular, so I guess people have forgotten about this.
"Up to" is vague- It is true that "up to 7 billion people have as much money as Bill Gates", but it might be good to have a better estimate...
If you are counting hotmail accounts, many people have multiple accounts, which could get things up towards 200 million just in the US, so I am curious how many distinct users there really are. In particular, how many people have more than the default setup from having a hotmail account and actually have info in a Passport wallet? For people with multiple hotmail accounts (for different purposes, expired purposes or just forgot about it) presumably they would have one or only a few accounts with the credit card info and so on.
It's psychosomatic. You need a lobotomy. I'll get a saw.
Deep down Microsoft believes "information wants to be free".
Unfortunately there was never any express, written, or implied statement about *who's* information was going to be "free".
(My first slasdot post. Be gentle)
If it is not on fire, it is a software problem.
This is exactly the reason I gave all false information when I got a hotmail account.
So what happens when all your faux-eggs are in 1 basket? One very confused hacker.
"Bill Gates
1 Microsoft Way Building G
Redmond, WA"
Eggs are cracked easily if force is applied right.
Enby in Waltham
I wonder how long it takes until we see:
"Windows update has detected that your passport is insecure. Please update passport"
"Windows update requires you to enter your passport information."
[x] always trust content from Microsoft
Being the cynic I am. This question always comes to mind. when yet anohter "bug" shows up in a MS product.
An Open Source guy, having found a *severe* set of vulnerabilities in a commercial set of services by that could, potentially, save M$ upwards of many millions of dollars in liability costs, it only makes good economic and political sense that Marc be reimbursed most lavishly for his informed (and thus billable, were he a consultant) insights.
What? You M$ apologists think his efforts should be FREE?
Brak: What's THAT?
Thundercleese: A light switch.. of TOTAL DEVASTATION!
You're supposed to sign up for a passport. Whenever you go to a porn site, and they ask for your email addy, give the msn one! Shit, don't let you home email addy become the collector of spam! Use Micro$oft for that! I do! Look at my email addy! Shit, do you think peezerot_grooathotmaildotcom fools anyone?
I pay cash, pad're ... don't you?
Sorry, this is offtopic, but it is related to MS and cookies:
I received a msword doc from a colleague. Since I didn't want to reboot to windows, I tried using a conversion tool (wvHtml) on it, but it crashed. So out of desperation, I ran strings on the doc file. What did I find?
I found paragraphs of text, of course. However, I also found Netscape format cookies. Some were cookies from potentially sensitive sites, so it seems to me that these cookies shouldn't be in a doc file.
Is this expected behavior? I am not familiar with the MS Word file format, so I am hoping someone who is can explain.
Thanks...
what happens at m$ headquarters when something like this is discovered? the way their quality control works, you'd think they just say "oh well, we'll get around to fixing it sometime." in most other companies, heads would roll.
They probably cant be sued for it, not in most jurisdictions at least. I havent heard of any online shops or otherwise being sued over stolen CC numbers, and there have been a load of those.
And how much are you willing to bet that the credit card companies are going to consider registering your CC number in Passport being irresponsible behaviour and insufficient care taken in safeguarding it?
In which case you are the one taking the hit.
I hope you dont have a high limit on any card you use on the net. Preferably you should be using one time CC's valid only for the amount you owe.
Yes, at the very least I tear out the code, rip it in half and throw away the pieces separately. Nor do I ever let my credit card out of my sight at a resturant. If I make purchases online or over the phone I have a separate minimum-limit ($500 limit) card that I charge to. And if Im really suspicious I create a one-time cc number with not more than the amount due available on it.
You do realize that you can be held liable for whatever charges your card incurs if you do not follow this kind of practice, dont you? And you do realize what happens if you are held liable for a $10K shopping spree that someone went on with your credit card? You pay it, you pay it at once, or your credit rating is slashed, you default on your house mortgage as your bank suddenly wants their money back and their money back _now_, you wont be able to get a new loan and you'll have to sell pretty much everything you own.
Im not kidding, I've seen that happen. I have a coworker who makes as much as I do, who can barely afford to eat lunch in the company resturant. Your life suddenly becomes a helluvalot more expensive once you're put on rapid payback on all your loans and the interest rates you're paying are doubled.
Could the next bright fellow who comes up with a catastrophic failure in Microsoft's Passport or .NET software PLEASE NOT TELL THEM ABOUT IT!
Damn it! Can we stop freaking collaborating with them and propping them up and FIXING their problems for them while they rape our country and back us all into a corner? Can we get real here for just a second? Can we have some sense of proportion, as in 'these are the band of criminals found guilty in appeal after appeal who have corrupted even our _government_ and legal system and want us all either under control or out of commission'?
I am _ashamed_ that people are still collaborating with them. Anyone who researches this type of exploit- if you can't have the guts to use it as a weapon (since apparently that is the ONLY weapon we have against them) can you at least quietly shrug, and throw the exploit away without telling anyone? Mind not telling the enemy, please? Is that so very much to ask?
furrfu...
Stolen credit cards are one of the main sources of income for terrorist groups like al-qaeda. How long before a follower of bin laden finds a similar hole and people find their money being used to buy weapons for use against them.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
(By the way, will you editors please stop ip banning my subnet? It makes it harder to put links in my slashdot comments that open people's hotmail accounts and automatically forward their credit card numbers to me)
But Microsoft .NET product manager Adam Sohn said the techniques used by Slemko are difficult to employ.
"These are very sophisticated exploits. This isn't just somebody downloading a script from a hacker site and running it," said Sohn, who reported the company has no evidence that anyone has taken advantage of the vulnerability.
Not only are these M$ bastards not appreciative of the potential lawsuits that might arise from such a seriou breach of security, but they also have the audacity to downplay this and wipe it aside as if it's just another dust particle on a desk.
Well you know what I say? Since it's SO damn hard to exploit them, next time whoever finds an exploit should just keep it to themselves and wait for M$ to hang themselves.
eTrade SUCKS
You should never trust Microsoft with your Credit Cards, e-mail, servers or anything else for that matter.
Might sound like a flame, but just look at how many hacks, bugs, and general problems that have happened to MS products in comparison to independant open-sourced ones. Perhaps it's time for me to start changing in the "Open Source Revolution"
My cardholder agreement very explicitly states that I *may* be held liable for a maximum of $50 in fraudulent charges, if those charges are due to my *card* being stolen. Note.. not the number.. the card itself.
So basically, aside from the inconvenience it may cause me having to get a new card, refute charges, etc.. I am not concerned about financial risk while using my credit card online. If someone does steal the number, a simple phone call is all it takes for me to refute all the charges. It would then be up to the merchants to PROVE that I authorized those charges. No signature? Wasn't shipped to my house? Tough.
The bottom line is right there on the back of your VISA card. Let me quote:
"Use of this Visa* card is subject to the terms of the Cardholder Agreement of which Cardholder acknowledges receipt by such use" (fair enough)
"THIS CARD IS THE PROPERTY OF AND ISSUED BY **** BANK AND MUST BE RETURNED ON REQUEST" (caps are how it is written)
There you go. IT's not even YOUR card, it's the banks. IT's a token the bank issues you to represent the credit they have issued you.. period. IF that token mechanism fails.. it's up to the bank to remedy the situation; they cannot hold you responsible, unless you lose that token and don't tell them... (in which case, obviously you have to shoulder some responsibility)
But why is Hotmail special? (OK, aside from the fact that most of the 200m Passport users MS claims probably got hooked in via that route.)
Passport is supposed to be an independent data store, right? A Passport-enabled client needs to know something about you and you've signed in, so they can go ask MS for that specific information. They aren't supposed to get anything else back. So, given that Hotmail is just another client (it is just another client, right?) then surely if you can break it using Hotmail, someone else could expose the same vulnerabilities via any other Passport-enabled client using similar Passport features.
So, what am I missing? What's so special about Hotmail? Why is Hotmail the gaping security hole?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Security holes allow crimminals to steal billions of dollors from all over the world! Its E-terrorism!
The Unanonymous Coward
Or you could just post it in any country in the free world that doesn't have the absurdities DMCA and such. You might try pretty much anywhere in Europe, for a start. :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I mean...come on. Does he think that exploits just poof themselves into existence.
For starters before Slemko outed this exploit, essentially it WAS just downloading a script and running it. And secondly is he belittling an exploit because it didn't get spread widely?
Arhghghg....his doublethink hurts my head.
According to Slemko, the fact that he needed just half an hour to cook up a way to exploit Passport's security flaws indicates that Microsoft is not fit to run a service with Passport's ambitions.
A HALF HOUR?!?!?!
DANG! this might be a good thing, then the securitiy holes will be so blaringly obvious that maybe (please) someone important will help the little guys (hey! thats us !) out.
Check out page 11 in latest issue of 2600 or look here
;)
Sucks to be M$ oriented, don't it
Makes one wonder why there's such a lack of quality control...
DaLeech
It's 10:00, do you know where *your* wallet is?
I have a passport account, probably from
accessing MSN, although I don't really
recall how I got it.
I've been all over the Passport website, and I
cannot figure out how to delete my account.
Does anybody know how to do it?
-Rick
But its when they piss off the smarter people the fun begins....
It's true. This is big, especially since i heard that XP asks you 5 times during the install if you want to sign up for Passport. Less people read this site on Saturday. This would be a better story for Monday.
I just pissed my pants. After Slashdot is done posting anti-Microsoft propaganda, can we post this to the front page? Thanks!
From the passport TOS: You are responsible for maintaining the confidentiality of your password and account information. Furthermore, you are responsible for all activities that occur in your account and you agree to notify Microsoft immediately of any unauthorized use of your account. Microsoft is not responsible for any loss that you may incur as a result of any unauthorized person using your account or your password.
There it is, in the last sentence.
Oh, and the standard disclaimer: IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OR PERFORMANCE OF THE PASSPORT SERVICES...
The fine print looks like M$ isn't responsible.
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
This type of attack is a few months old.
http://www.k2labs.org/security/passport/
The idea of using the frames exploit looks to be a new twist on things, however. The overall idea is still the same; it's a simple presentation attack. Still, the fact that this *STILL* works is a bit disturbing.
Oh, the article above was published in 2600 magazine.
Just because the EULA that you clicked through says that Microsoft does not hold any responsibility for something does not mean that a court of law would not impose responsibility for that action. If your account information was actually abused due to a security flaw in Microsoft software, you should sue anyway.
Best Slashdot comment ever
True that, but it does give them somewhat taller leg to stand on by including that in the TOS/EULA.
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
You were going well up until this point:
Eventually, they'll get around to releasing a decent product
but that part didn't make sense to me, after all, this is MS we're talking about.
I can remember since the days of Windows 3 (about eight or nine years ago) that people have been hoping for Microsoft to eventually "release a decent product". We're still waiting for it. With every new release, people seem to forgive MS immediately and brush it off with "oh well, maybe the next version will be good, we'll endure the suffering in the meantime". (Perhaps XP is "it", but then is it really acceptable to wait close to *ten years*, and pay several times over during the wait, to get a half-decent product which is anyway several years behind what OSs should be by now, technologically? I can't think of a feature in any Microsoft Windows version that hadn't already been around for several years in some other system, and that includes XP)
I too have an Hotmail account!!!
Come to think of it, i have at least 5 of them, all with funny names.
Judging from the options Hotmail returns to me when i try to register a funny name and it's already take (it sugests things like funnyname54@hotmail.com), i would say i'm note the only one...
Frankly, I'm getting a little sick of this whole this about M$ having security holes and making it into a big deal when ever they get hacked... Let it rest, we've heard it before.
XP is sooooo much more secure (and generally better) than any other version windows.
And what "pay-per-use" are you talking about? I use XP and never heard of this?
Why don't you try using a product before bad-mouthing it?
How many individual people have hotmail accounts? Raise your hand if you personally have more than two hotmail accounts. That's what I thought. The numbers are quite misleading.
Oh, and my appologies to JohnSmith@hotmail.com, JohnDoe@hotmail.com, JohnJohnson@hotmail.com, and anyone else I've registered for the NYT online free registration, etc.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.