Slashdot Mirror
Passport's Pocket Picked
emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?
Anyone remember the story with MS whining about how security people should just shut their cake-hole and not "reveal" exploits? I wonder if they'll take the same stance on this one.
"Well, it wouldn't have been too much of a problem until those meddling kids at Apache showed up..."
If you were me, you'd be good lookin'. - six string samurai
Quoting a gem from the article:
"More than 70 sites are in the process of deploying Passport's authentication technology, according to Microsoft. Among them is Prudential Banking's Egg.com online bank, which is switching to Passport..."
Egg.com sounds kind of ironic. Must be quite a marketing effort on Microsoft's behalf getting banks to deploy not tested technology on a mass scale.
Who'd like to file suit with the FTC against Microsoft for false advertising? I think we all know that there is no such thing as absolute sceiruty, or that security is a process, not a result, etc etc. But does the average non-geek American know that? For that matter, does the marketing deparment at Microsoft know that?
You can't market a product as having qualities it doesn't have without getting into trouble with the FTC. Granted, MS will try to spin this as "Those bad Linux hackers will steal your data!" The fact remains that they've lied to the American consumer. I think they need to be forced to amend their advertising.
Sad isn't it, here is the VERY thing all those "privacy people" keep screaming about. The thing that MS says won't happen. The idea should chill us all to the core, after all with XP released it's just a matter of time before a magority of american's will have a "passport". Will it be reported by any big news organizations? Will it make front page (it should).
In the end I guess I best move to the bahamas and start ordering lots of neat things with all these new credit card numbers that magically appeared in my hotmail account.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
There have been attempts to get PayPal user's information. Quite a while ago somebody set up a site called PayPaI.com (note the capital I) and sent out spams that linked to the site. the site looked just like PayPal with a place to type your username and password.
While I make this point in my paper, I just wanted to make sure people understood:
The real risk here isn't to hotmail or passport wallet (passport wallet isn't really an integral part of passport, just another service using it for authentication). It is to all things using passport. That isn't so much right now. But if Microsoft has their way, it will be. The sample exploit used Hotmail and Passport Wallet simply because they are commonly used services.
I would also like to note that Microsoft has been quite forthcoming with details and admitting the problems and fixing them. They are very good at being reactive. We will have to see how well this works going forward.
I can't beleive this actually happened. I mean, their entire .NET initiative is riding on this passport business and showing they can secure your information.
What folks need to do is hold off on publishing these exploits (as Microsoft requests) until they've got a lot more riding on it. When a couple of banks lose a couple of million bucks on this, not to mention the confidence of their customers, well, then you might get some real coverage.
Remember, Microsoft wants to build houses of straw, and likes to call anyone who points out they are made of straw terrorists. Of course, as soon as I see that attitude from someone I'm supposed to trust I run as far and as fast as I can just as I'd run from a used car salesmen who wouldn't let my mechanic check out the car.