Slashdot Mirror
Passport's Pocket Picked
emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?
great... the single greatest magnet for spam is also an open book to your credit cards. I can see it now: "Hot dirty sex... you've paid for it already, so you might as well cum see!"
"You've already paid the fee to get in on our bogus pyramid scheme, so now it's YOUR turn to go steal from someone else!"
Inconceivable!
> In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.
:)
will be
> In addition, the company has modified a software timer so that Passport users must re-enter all the information associated with their passport account (including their Wallet account) anytime they attempt to access the wallet service.
Which might be shortly followed by the first time MS has ever been able to claim their technologies are relatively secure. (Yes, I'll avoid being a jerk and suggesting anyone can ever be 100% secure.
"Old man yells at systemd"
If this is Microsoft's unviersal security solution, I can';t believe they'd put out something that can be so easily cracked without knowing it.
Is it concievable that M$FT is deliberately designing holes, staging exploits and publicizing them in order to get popular support for federally controlled security systems and universal elimination of anonymity?
The anthrax could be the same thing.. government allowing it to spread, or spreading it themselves, to pressure Congress to pass the USA PATRIOT act, which they did, and to pressure us to accept strictures on our behavior?
In both cases, ask: Quo bono? In the current climate, who benefits from these activities?
Terrorists don't benefit from the anthrax, and OSS doesn't benefit from these Passport exploits. In both cases, the government benefits.
Goat sex free since 2001
I remember a year or two ago a person could send you an email and obtain your hotmail account. Hotmail is a gaping hole in the passport service.
With passport, microsoft wishes to be the customs agent of the internet. However, with flaws like this they really are not going to turn many people over to their side.
I'm sure more exploits will pop up in the future. Most of them will likely use hotmail in someway or another to enter.
ok, obviously my post will be rejected as this one already made it through (they rejected Marc's initial story which I guess shouldn't surprise me), but here's more linkage about where you can read about the technical details:
Marc's Passport Advisory
What happens when someone steals the basket with all your eggs?
Send special forces to kill the bunny. And cluster bombs, lots of fucking cluster bombs
Hammer of Truth
Anyone remember the story with MS whining about how security people should just shut their cake-hole and not "reveal" exploits? I wonder if they'll take the same stance on this one.
"Well, it wouldn't have been too much of a problem until those meddling kids at Apache showed up..."
If you were me, you'd be good lookin'. - six string samurai
I really like this part:
In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.
While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.
"Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.
Why? I installed XP for my dad, everything works perfectly. The OS is great. I got tired of passport starting up, so I clicked on it, cancled a few prompts, went to settings, check 'do not start up on boot', and closed the program. IT STILL STARTS UP ON BOOT. My point is that MSFT has made it very difficult to stop the damn thing from starting. Screw Passport.
Life is like pants... fit in or you don't fit in.
Where did your wallet go today?
-Zane
This sig is worse than my last.
MS seems to have Single Point of Failure problems in a lot of things: the Registry, any one?
It doesn't mean much now, it's built for the future.
Quoting a gem from the article:
"More than 70 sites are in the process of deploying Passport's authentication technology, according to Microsoft. Among them is Prudential Banking's Egg.com online bank, which is switching to Passport..."
Egg.com sounds kind of ironic. Must be quite a marketing effort on Microsoft's behalf getting banks to deploy not tested technology on a mass scale.
Who'd like to file suit with the FTC against Microsoft for false advertising? I think we all know that there is no such thing as absolute sceiruty, or that security is a process, not a result, etc etc. But does the average non-geek American know that? For that matter, does the marketing deparment at Microsoft know that?
You can't market a product as having qualities it doesn't have without getting into trouble with the FTC. Granted, MS will try to spin this as "Those bad Linux hackers will steal your data!" The fact remains that they've lied to the American consumer. I think they need to be forced to amend their advertising.
Sad isn't it, here is the VERY thing all those "privacy people" keep screaming about. The thing that MS says won't happen. The idea should chill us all to the core, after all with XP released it's just a matter of time before a magority of american's will have a "passport". Will it be reported by any big news organizations? Will it make front page (it should).
In the end I guess I best move to the bahamas and start ordering lots of neat things with all these new credit card numbers that magically appeared in my hotmail account.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Interestingly, this is exactly what will happen.
Only the discoverer of the hole will be forced to announce it anonymously, and publish it only in dark little places where the lawyerly eyes of Microsoft won't find it. And unscrupulous eyes will.
I can see it happening already. And Microsoft would not even hear of the hole until it's far, far too late. It will be a very, very dark day if information is compromised on this scale.
The DMCA in this case would directly contribute to the destruction of the integrity of the Passport system.
Simply put - if only outlaws find security holes, then only (genuine) outlaws will have access to them.
Maybe I'm being stupid here, but what's the diff between Passport and PayPal, and why hasn't PayPal been a crack target?
Also, I had no idea 165 MILLION people were already using Passport - I suppose my OS hasn't asked me enough times to sign up for it until I break under the strain...
"Look, Smithers! I'm Davy Crockett!"
I haven't read the pasport user's agreement, but would I be incorrect in guessing that Microsoft takes no responsibility for the safety of one's personal data? We're sorry we ruined your life, but if you read the fine print you will see that we are not responsible for anything. When will Microsoft be held responsible for it's actions?
"To those who are overly cautious, everything is impossible. "
This shows that your private information may not be in the best hands when entrusted to a company
like Microsoft. But there are other 'takers'. Some even with the best of intentions.
If any of them ever gets to be the one and only 'central repository', they will be subject to just this kind of attack as well. If you can't compromise the service, then hack into the user's desktop. As soon as enough people use it, it becomes a very attractive target. In a similar vein, there have been viruses that target the client end of home-banking software.
Security is enhanced by redundancy, by having several distinct systems in place, preferably as dissimilar as possible. Monoculture and monopolies always form a fertile environment for viruses and other pests.
I feel this makes the whole idea of a centralized service like Passport or any of it's competitors an extremely dangerous development.
I never (knowingly) allow any site to keep my CCnumber and why I always use a "temporary" CC number (for example Amex Private Payments).
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
While I make this point in my paper, I just wanted to make sure people understood:
The real risk here isn't to hotmail or passport wallet (passport wallet isn't really an integral part of passport, just another service using it for authentication). It is to all things using passport. That isn't so much right now. But if Microsoft has their way, it will be. The sample exploit used Hotmail and Passport Wallet simply because they are commonly used services.
I would also like to note that Microsoft has been quite forthcoming with details and admitting the problems and fixing them. They are very good at being reactive. We will have to see how well this works going forward.
eXport Privacy
Comment from Passport's program manager:
the wallet service will remain offline until the company can add additional security features "to ensure that similar exploits cannot be used to compromise our user's credit card information."
What's the standard for this? Based on Microsoft's track record, a new exploit will come up regardless of how many patches are issued. No way I'm going to let them keep my personal data. Too bad the average consumer may not realize this.
While we espouse our need to breakup Microsoft we have overlooked our great need to sue for negligence and false advertising. Their products do not perform safely nor with the diligence we as consumers need. This is another case of a lack of thought and concern put into a consumer product. If Passport were a vehicle or food product, the manufacturer would have been sued for negligence.
Of course we torture people, we need the information --Gen. Pinochet
People seem to be blowing this out of proportion, IMHO.
How often do you hand your credit card to a server at a restauraunt? A store? Over the phone to pay for something? Are you forgetting that your credit card number can easily be stolen that way? Most receipts from purchases have your credit card number on them. Do you shred / burn them to stop someone from getting your CC #?
I can't beleive this actually happened. I mean, their entire .NET initiative is riding on this passport business and showing they can secure your information.
What folks need to do is hold off on publishing these exploits (as Microsoft requests) until they've got a lot more riding on it. When a couple of banks lose a couple of million bucks on this, not to mention the confidence of their customers, well, then you might get some real coverage.
Remember, Microsoft wants to build houses of straw, and likes to call anyone who points out they are made of straw terrorists. Of course, as soon as I see that attitude from someone I'm supposed to trust I run as far and as fast as I can just as I'd run from a used car salesmen who wouldn't let my mechanic check out the car.
You will be assimilated. Resistance is fut- HEY! Who took my wallet?
What happens when someone steals the basket with all your eggs?
Eggs? What you talkin' all about eggs for? Don't give me none of that Gibber-Jabber, or you best be tossed!
You took a wallet? I don't see no crazy wallet! You're talking like Face, crazy fool!
Besides, you don't need no wallet! Just dial
1-800-COLLECT and save a buck or two.
XP? That better mean Xtra Punishment, cause that's what I'm gonna do to that Gates fool! He can't escape me, cause my van's hella fast!
Don't do drugs! Drink milk!
Come here, sucka. I'll toss you!
In fact, Microsoft was actively contacting reporters to let them know about the issue and try to put their spin on it even before I released my exploit.
A number of Microsoft employees also leaked it to their friends after I reported it to Microsoft, and it started spreading from there.
And even Microsoft's lawyers were in on the gig of making sure everyone knew about it.
But seriously... Microsoft has been, and almost always is, very good about timely responses to security reports. Their problem is in dealing with them without having to be told by some Joe User that they have problems.
Dell Computer: $1099 .NET services: $19.95/mo
:p
Microsoft Windows XP: $219
Compaq IPaq with Windows CE: $499
Subscription to
Microsoft Passport: Free*
Having your MasterCard(TM) info on the net for anyone to see:
Priceless.
(*note: This is a parody of the successful "Priceless" MasterCard(TM) advertising venture. As a parody it is protected under the 1st amendment established by MasterCard(TM) v. Nader)
People shape laws. Not the other way around.
The typical user does NOT get this information.
They are happily using their Hotmail accounts and have NO clue that these things exist. Sure, they might have it in PC World, or maybe the Technology section of the Times, but my MOTHER does not read these things. Only us geeks in the industry know ( we are a small percentage of the population).
Microsoft will fix this to appease the security experts, but that's about it.
As long as Joe Sixpack can stay happily ignorant, MS is happy. For example, one of my friends, a very intelligent Nuclear Physicist, just got suckered in to a CompUSA MegaPC w/ 1.2 GHZ, 1 GB RAM , DVD RAM and Windows XP for anout 5 Grand. He browses the web PERFECTLY fine on his 988 MHZ PC. He said the "pretty colors" of XP sold him. I told him of the security flaws and reasons for not going with XP (never mind the absolute non-necessity of the PC), and his response was "How come I haven't heard about these things you talk about?" I had no answer. That's how Microsoft stays in power. If we step outside the industry for a minute, we can see that Linux means nothing to most people, AOL IS the internet, and Windows IS a computer. How do we fix this? I don't know, but someone must.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
I have been ranting to all of my clients and friends about this sort of problem ever since MS came up with the idea of passport.
Scenario:
2 years from now 150 million people actually have their personal details and credit card numbers stored with MS (this isn't so now, people have passport accounts by default due to hotmails reliance)
Another hack comes out and it is proven that the vast majority of credit card numbers for people were compromised.
Visa, Amex, Mastercard et al are forced to re-issue credit cards to all people using passport
The global economy is severely disrupted due to the downturn in online spending, the overall costs incurred by the replacement and the lack of consumer confidence in online shopping, banking etc
Microsoft point to the famous "we're not liable for jack shit" clause in the agreement
So what happens? Does MS still get sued? Do the credit card companies just sit back, hemorrhage and go "Oh well, shit happens."?
Most importantly, do consumers finally realise that they have been taken for a ride for the last 7 years and boycott?
This really scares me. Giving personal details to any company is bad. Giving them to a company with a severely impaired security record is just plain stupid.
"Up to" is vague- It is true that "up to 7 billion people have as much money as Bill Gates", but it might be good to have a better estimate...
If you are counting hotmail accounts, many people have multiple accounts, which could get things up towards 200 million just in the US, so I am curious how many distinct users there really are. In particular, how many people have more than the default setup from having a hotmail account and actually have info in a Passport wallet? For people with multiple hotmail accounts (for different purposes, expired purposes or just forgot about it) presumably they would have one or only a few accounts with the credit card info and so on.
It's psychosomatic. You need a lobotomy. I'll get a saw.
Yes, at the very least I tear out the code, rip it in half and throw away the pieces separately. Nor do I ever let my credit card out of my sight at a resturant. If I make purchases online or over the phone I have a separate minimum-limit ($500 limit) card that I charge to. And if Im really suspicious I create a one-time cc number with not more than the amount due available on it.
You do realize that you can be held liable for whatever charges your card incurs if you do not follow this kind of practice, dont you? And you do realize what happens if you are held liable for a $10K shopping spree that someone went on with your credit card? You pay it, you pay it at once, or your credit rating is slashed, you default on your house mortgage as your bank suddenly wants their money back and their money back _now_, you wont be able to get a new loan and you'll have to sell pretty much everything you own.
Im not kidding, I've seen that happen. I have a coworker who makes as much as I do, who can barely afford to eat lunch in the company resturant. Your life suddenly becomes a helluvalot more expensive once you're put on rapid payback on all your loans and the interest rates you're paying are doubled.