Passport's Pocket Picked

emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?

Re:What happens when someone steals the basket wit

[MaxwellStreet]

Interestingly, this is exactly what will happen.

Only the discoverer of the hole will be forced to announce it anonymously, and publish it only in dark little places where the lawyerly eyes of Microsoft won't find it. And unscrupulous eyes will.

I can see it happening already. And Microsoft would not even hear of the hole until it's far, far too late. It will be a very, very dark day if information is compromised on this scale.

The DMCA in this case would directly contribute to the destruction of the integrity of the Passport system.

Simply put - if only outlaws find security holes, then only (genuine) outlaws will have access to them.

Re:Burning Reichstag

[Shotgun]

Good conspiracy theory, but I would have to say look at history in this case. MS is threatened. Sales revenue is in the toilet and the outlook for future sales is even bleaker. They have to come up with a strategy and implement it fast. What do they do?

What they always have done. Rush a half-finished product out the door, and use whatever leverage they have to force it on whoever they can, while keeping the engineers busy in the back room with the bubblegum and duct-tape. Eventually, they'll get around to releasing a decent product.

Course, I won't be buying it then either. 8*)

Re:Did anyone not see this coming?

[Jason+Earl]

Hotmail is also the source of all of the passport accounts. Microsoft knows that Windows XP is not going to generate enough Passport accounts to entice web sites to start including Passport hooks. Hotmail, on the other hand, is very popular, and already has millions of users. Besides, if Microsoft can't design a secure Passport site, what is the chance that the bozos at your bank are going to be able to design a secure Passport site?

In other words Hotmail is both the primary draw for Passport, and an important proof of concept. Unfortunately for Microsoft it is also a huge gaping pile of security holes.

No one knows, or cares

[xtremex]

The typical user does NOT get this information.
They are happily using their Hotmail accounts and have NO clue that these things exist. Sure, they might have it in PC World, or maybe the Technology section of the Times, but my MOTHER does not read these things. Only us geeks in the industry know ( we are a small percentage of the population).
Microsoft will fix this to appease the security experts, but that's about it.
As long as Joe Sixpack can stay happily ignorant, MS is happy. For example, one of my friends, a very intelligent Nuclear Physicist, just got suckered in to a CompUSA MegaPC w/ 1.2 GHZ, 1 GB RAM , DVD RAM and Windows XP for anout 5 Grand. He browses the web PERFECTLY fine on his 988 MHZ PC. He said the "pretty colors" of XP sold him. I told him of the security flaws and reasons for not going with XP (never mind the absolute non-necessity of the PC), and his response was "How come I haven't heard about these things you talk about?" I had no answer. That's how Microsoft stays in power. If we step outside the industry for a minute, we can see that Linux means nothing to most people, AOL IS the internet, and Windows IS a computer. How do we fix this? I don't know, but someone must.