Slashdot Mirror
Passport's Pocket Picked
emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?
Who'd like to file suit with the FTC against Microsoft for false advertising? I think we all know that there is no such thing as absolute sceiruty, or that security is a process, not a result, etc etc. But does the average non-geek American know that? For that matter, does the marketing deparment at Microsoft know that?
You can't market a product as having qualities it doesn't have without getting into trouble with the FTC. Granted, MS will try to spin this as "Those bad Linux hackers will steal your data!" The fact remains that they've lied to the American consumer. I think they need to be forced to amend their advertising.
Sad isn't it, here is the VERY thing all those "privacy people" keep screaming about. The thing that MS says won't happen. The idea should chill us all to the core, after all with XP released it's just a matter of time before a magority of american's will have a "passport". Will it be reported by any big news organizations? Will it make front page (it should).
In the end I guess I best move to the bahamas and start ordering lots of neat things with all these new credit card numbers that magically appeared in my hotmail account.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
While I make this point in my paper, I just wanted to make sure people understood:
The real risk here isn't to hotmail or passport wallet (passport wallet isn't really an integral part of passport, just another service using it for authentication). It is to all things using passport. That isn't so much right now. But if Microsoft has their way, it will be. The sample exploit used Hotmail and Passport Wallet simply because they are commonly used services.
I would also like to note that Microsoft has been quite forthcoming with details and admitting the problems and fixing them. They are very good at being reactive. We will have to see how well this works going forward.
I can't beleive this actually happened. I mean, their entire .NET initiative is riding on this passport business and showing they can secure your information.
What folks need to do is hold off on publishing these exploits (as Microsoft requests) until they've got a lot more riding on it. When a couple of banks lose a couple of million bucks on this, not to mention the confidence of their customers, well, then you might get some real coverage.
Remember, Microsoft wants to build houses of straw, and likes to call anyone who points out they are made of straw terrorists. Of course, as soon as I see that attitude from someone I'm supposed to trust I run as far and as fast as I can just as I'd run from a used car salesmen who wouldn't let my mechanic check out the car.
I am just wondering what the legal implications of reveiling a flaw to Microsoft is...
Imagine this scenario...
1) You discover a flaw that allows you to get a hold of everyones on the Internet credit card
2) You tell the vendor and wait.
3) The vendor acknoledges the flaw and posts a patch
4) In between 2 & 3 "nasty evil little hacker" discovers the same flaw and exploits it to his economic advantage (but not enough to get himself caught)
5) Vendor discovers that "your" hack has been used againt them for a period of time...
Who would you send the cops after ???
How would you go about proving your innocense, Don't get me started on Innocent until proven guilty -- I don't buy it for a second...
6) spend 20-life in jail ???