Slashdot Mirror
Passport's Pocket Picked
emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?
great... the single greatest magnet for spam is also an open book to your credit cards. I can see it now: "Hot dirty sex... you've paid for it already, so you might as well cum see!"
"You've already paid the fee to get in on our bogus pyramid scheme, so now it's YOUR turn to go steal from someone else!"
Inconceivable!
ok, obviously my post will be rejected as this one already made it through (they rejected Marc's initial story which I guess shouldn't surprise me), but here's more linkage about where you can read about the technical details:
Marc's Passport Advisory
I really like this part:
In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.
While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.
"Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.
Why? I installed XP for my dad, everything works perfectly. The OS is great. I got tired of passport starting up, so I clicked on it, cancled a few prompts, went to settings, check 'do not start up on boot', and closed the program. IT STILL STARTS UP ON BOOT. My point is that MSFT has made it very difficult to stop the damn thing from starting. Screw Passport.
Life is like pants... fit in or you don't fit in.
Where did your wallet go today?
-Zane
This sig is worse than my last.
Who'd like to file suit with the FTC against Microsoft for false advertising? I think we all know that there is no such thing as absolute sceiruty, or that security is a process, not a result, etc etc. But does the average non-geek American know that? For that matter, does the marketing deparment at Microsoft know that?
You can't market a product as having qualities it doesn't have without getting into trouble with the FTC. Granted, MS will try to spin this as "Those bad Linux hackers will steal your data!" The fact remains that they've lied to the American consumer. I think they need to be forced to amend their advertising.
Sad isn't it, here is the VERY thing all those "privacy people" keep screaming about. The thing that MS says won't happen. The idea should chill us all to the core, after all with XP released it's just a matter of time before a magority of american's will have a "passport". Will it be reported by any big news organizations? Will it make front page (it should).
In the end I guess I best move to the bahamas and start ordering lots of neat things with all these new credit card numbers that magically appeared in my hotmail account.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Interestingly, this is exactly what will happen.
Only the discoverer of the hole will be forced to announce it anonymously, and publish it only in dark little places where the lawyerly eyes of Microsoft won't find it. And unscrupulous eyes will.
I can see it happening already. And Microsoft would not even hear of the hole until it's far, far too late. It will be a very, very dark day if information is compromised on this scale.
The DMCA in this case would directly contribute to the destruction of the integrity of the Passport system.
Simply put - if only outlaws find security holes, then only (genuine) outlaws will have access to them.
Good conspiracy theory, but I would have to say look at history in this case. MS is threatened. Sales revenue is in the toilet and the outlook for future sales is even bleaker. They have to come up with a strategy and implement it fast. What do they do?
What they always have done. Rush a half-finished product out the door, and use whatever leverage they have to force it on whoever they can, while keeping the engineers busy in the back room with the bubblegum and duct-tape. Eventually, they'll get around to releasing a decent product.
Course, I won't be buying it then either. 8*)
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
While I make this point in my paper, I just wanted to make sure people understood:
The real risk here isn't to hotmail or passport wallet (passport wallet isn't really an integral part of passport, just another service using it for authentication). It is to all things using passport. That isn't so much right now. But if Microsoft has their way, it will be. The sample exploit used Hotmail and Passport Wallet simply because they are commonly used services.
I would also like to note that Microsoft has been quite forthcoming with details and admitting the problems and fixing them. They are very good at being reactive. We will have to see how well this works going forward.
I can't beleive this actually happened. I mean, their entire .NET initiative is riding on this passport business and showing they can secure your information.
What folks need to do is hold off on publishing these exploits (as Microsoft requests) until they've got a lot more riding on it. When a couple of banks lose a couple of million bucks on this, not to mention the confidence of their customers, well, then you might get some real coverage.
Remember, Microsoft wants to build houses of straw, and likes to call anyone who points out they are made of straw terrorists. Of course, as soon as I see that attitude from someone I'm supposed to trust I run as far and as fast as I can just as I'd run from a used car salesmen who wouldn't let my mechanic check out the car.
In fact, Microsoft was actively contacting reporters to let them know about the issue and try to put their spin on it even before I released my exploit.
A number of Microsoft employees also leaked it to their friends after I reported it to Microsoft, and it started spreading from there.
And even Microsoft's lawyers were in on the gig of making sure everyone knew about it.
But seriously... Microsoft has been, and almost always is, very good about timely responses to security reports. Their problem is in dealing with them without having to be told by some Joe User that they have problems.
I am just wondering what the legal implications of reveiling a flaw to Microsoft is...
Imagine this scenario...
1) You discover a flaw that allows you to get a hold of everyones on the Internet credit card
2) You tell the vendor and wait.
3) The vendor acknoledges the flaw and posts a patch
4) In between 2 & 3 "nasty evil little hacker" discovers the same flaw and exploits it to his economic advantage (but not enough to get himself caught)
5) Vendor discovers that "your" hack has been used againt them for a period of time...
Who would you send the cops after ???
How would you go about proving your innocense, Don't get me started on Innocent until proven guilty -- I don't buy it for a second...
6) spend 20-life in jail ???
Hotmail is also the source of all of the passport accounts. Microsoft knows that Windows XP is not going to generate enough Passport accounts to entice web sites to start including Passport hooks. Hotmail, on the other hand, is very popular, and already has millions of users. Besides, if Microsoft can't design a secure Passport site, what is the chance that the bozos at your bank are going to be able to design a secure Passport site?
In other words Hotmail is both the primary draw for Passport, and an important proof of concept. Unfortunately for Microsoft it is also a huge gaping pile of security holes.
The typical user does NOT get this information.
They are happily using their Hotmail accounts and have NO clue that these things exist. Sure, they might have it in PC World, or maybe the Technology section of the Times, but my MOTHER does not read these things. Only us geeks in the industry know ( we are a small percentage of the population).
Microsoft will fix this to appease the security experts, but that's about it.
As long as Joe Sixpack can stay happily ignorant, MS is happy. For example, one of my friends, a very intelligent Nuclear Physicist, just got suckered in to a CompUSA MegaPC w/ 1.2 GHZ, 1 GB RAM , DVD RAM and Windows XP for anout 5 Grand. He browses the web PERFECTLY fine on his 988 MHZ PC. He said the "pretty colors" of XP sold him. I told him of the security flaws and reasons for not going with XP (never mind the absolute non-necessity of the PC), and his response was "How come I haven't heard about these things you talk about?" I had no answer. That's how Microsoft stays in power. If we step outside the industry for a minute, we can see that Linux means nothing to most people, AOL IS the internet, and Windows IS a computer. How do we fix this? I don't know, but someone must.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.