Slashdot Mirror
Microsoft's Hotmail Challenge Backfires
Barence writes "Microsoft challenged the editor of PC Pro to return to Hotmail after six years of using Gmail, to prove that its webmail service had vastly improved — but the challenge backfired when he had his Hotmail account hacked. PC Pro's editor say he was quietly impressed with a number of new Hotmail features, including SkyDrive integration and mailbox clean-up features. He'd even imported his Gmail and contacts into Microsoft's service. But the two-week experiment came to an abrupt end when Hotmail sent a message containing a malicious link to all of his contacts. 'What's even more worrying is that it's not only my webmail that's been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes."
Other than that, would this be an experience you would recommend to others?
Hotmail sent a message containing a malicious link to all of his contacts
It seems to me that it was convincingly demonstrated that Hotmail has a few features that Gmail lacks.
Good job Microsoft!
Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features
So the Marketing department got the green light over the Security department during the development of Windows 8. Naturally, it is the Security department's responsibility to ensure that when the Marketing department does something stupid like linking account credentials between two separate administrative domains, it's Security's responsibility to sprinkle magic fairy dust over it.
Okay, I'd like my $80,000 bonus now, and a letter of resignation from the chief designer of the Windows Live security team please. Also, let the marketing department know that we'll need to find someone to spin the bad press away, you know, the usual crap about it being a beta release and then suing him for violating the NDA that says he can only report positive experiences with the beta.
#fuckbeta #iamslashdot #dicemustdie
From the article (but curiously missing from the summary):
(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)
In other words he used a shitty password and got hit by a dictionary attack. Nothing new or interesting here. Move along.
This shouldn't affect his opinion of Hotmail at all...
Or did he just use a crappy password or have malware already on his computer? I know it's popular to bash MS, and I dislike the account convergence we are rapidly screaming towards, but blaming the service when it was more likely that he created the vulnerability is just tacky.
From the story: 'For those of you inquiring about the strength of my Hotmail password - it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun.'
I smell that I am not getting quite the full story here...
Some how this reminds me the glorious 90s, when music was great, anime looked the best, and Hotmail became my first web email account I had ever used...
Stop making your password "notpassword"!
So, a fairly public persona publicly announces that he's switching to Hotmail to give it a go. And has a weak-sauce password:
(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)
And somehow this is Microsoft fault? He's just asking to be hacked, and with a weak password like this? *sigh*
In other news it's my home builders fault that I left my keys in my door and I was robbed.
Everyone that disagrees with me is a paid shill
It's only recently (Nov. 2010) that hotmail even had the option of using SSL:
http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/09/hotmail-security-improves-with-full-session-https-encryption.aspx
And SSL still isn't the default option for hotmail.
Gmail at least had the option for SSL for many many years, and google made SSL the default a few years back (after they got hacked by the Chinese).
Hotmail login same as windows log on and windows store with CC? WOW windows 8 may flop so bad that they have to have a windows 9 next year or a windows 7.5
Why is this in idle? After that blatant dupe earlier...
You are grounded!
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Most people I help or talk with have been hacked on hotmail. Microsoft must have no security, I've been hearing about hotmail hacks for a long time. Suggestion, don't use hotmail :-) Very unsecure
LastPass
http://www.lastpass.com
MS is continually bashed for security reasons, and mocked for being a virus spreading engine etc etc. Those who continually make such silly and baseless allegations, as evidenced by the story above, don't even once think about the alternatives and THEIR security problems.
After dumping Windows and MS products in general a few years ago, I have had a first hand hard lesson in the probelms of 'alternative' OSes, if you can call them that. My problems have been nearly unending since switching to Linux, I mean just last month, or was it the month before, my laptop crashed. This wasn't the first time either, it routinely happens 2-3 times a year.
Think about it people, if you don't use MS, you might not have horrific security problems that compromise all conected devices and identities, but you may have to suffer through a similar fate to me. Be careful what you ask for, and THINK before you whine in public.
-Charlie
"...forcing me to include a capital letter, a number, a set number of characters and a symbol from the Ancient Greek alphabet (I exaggerate only slightly)."
His password was most likely 'editors' and is wondering how he was "hacked". It really is sad that such a fool can post news about the security, or lack thereof, of Microsoft's Hotmail service.
...perhaps this will light a fire under Microsoft to get their system a bit more secure (in spite of weak passwords like the one the guy used), and not allow things like spamming all contacts without some second-source notification/response, or some other easy to implement blocks to this sort of behavior.
And the result for consumers will be a more robust system in general (Microsoft Account/WindowsLiveID, as well as HotMail, Win8, XBoxLive, etc).
Failures often spur innovation and improvement. They're not always a bad thing (though this one is particularly embarassing, it may be just that level of embarassment that drives the motiviation to work on solutions to the problem).
- Spryguy
There are three kinds of people in this world: those that can count and those that can't
That is all.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
http://xkcd.com/936/
Truth be told the passwords we actively encourage are no stronger than what he used.
If you want a really strong password, use a sentence of random words. Password length matters far more than password content - this is a simply provable fact - too bad hardly anybody in security realizes it.
Unicode killed the ASCII-art *
This is not the first time I hear about a hotmail account being hacked to send malicious links. I had a few friends with the same problem, always hotmail. It's possible there is a serious security problem with the service. And even if there isn't, logic should be in place to suspend account who start mass emailing their contact lists with suspicious links, it shouldn't be that hard to stop.
I guess this is his wah! wah! moment but i am not buying it. Why were running windows 8? I saw some noob running on his main computer the other day and I was tempted to tell him to uninstall it but I let sleeping dogs do their thing. An editor at pcmag should know better no sympathy from me.
http://www.overtecno.com.br/wp-content/uploads/2011/03/nelson-simpsons-ah-ah-420x261.jpg
Keep an out out for a handful of talking points repeated with similar words and phrases.
I'd never seen so much shilling for skydrive since that last post about Google's new data locker service.
His password is 7 lower case characters. It's a wonder his GMail account wasn't hacked ages ago.
Hotmail's default isn't SSL as far i know, and their chat service isn't ssl or encrypted or even able to run encrypted ( unlike google's chat/XMPP). So it isn't exactly safe, not long ago someone was trying an dictionary attack of some sort for days on my MSN messenger account as it prevented me from logging in due to "too many password attempts" . ( when i had not been the one doing those attempts.)
"Windows XP was the first stable OS to come out of that company" INCORRECT Windows 2000 was the first stable OS. XP was less stable than 2000.
I had the same issue last night. Strong password, not logged into hotmail itself in months. Looks more like a breach than anything else.
The only place I've used the password is in MSN in pidgin, I'm considering doing at least a cursory audit of pidgin.
Probably upwards of 20 times in the past year I have heard co-workers, acquaintances, relatives and others bleat "My Email Account Got Hacked!". These folks included AOL, Gmail and Hotmail users.
They didn't get hacked. They were naive. They got hoodwinked. They gave up information to some trojan or phishing email or keylogger. And, yes, meny were using the same weak or semi-weak password on multiple sites including their email and Facebook and Amazon and such. They were for the most part completely oblivious that doing that was a Bad Idea.
I am about as far from a Microsoft fan or apologist as it is reasonable to be. I'll also allow that there may be problems in the Hotmail and Live! monoculture (that I am not the world's expert on as I don't use them). But when I read the author admit that he used a fairly weak 7-character, all-lower-case password how can I give this story any credit? Doesn't sound like a very diligent techie to me. Rather, it makes me wonder where else he used that password.
Delete your damn e-mail when you are done with it. Stop raping everyone's privacy.
I’d also set up Hotmail to import all my Gmail and its associated contacts. Not to mention the Facebook and LinkedIn contacts that Hotmail merges into your online address book.
Meaning that all these online services contained the password information for all the other services. Even if different passwords were used for each, the linkages between them all would allow a chain reaction if just one was compromised.
In fact, in the screenshot, I note he has an email about his Google account password being changed. I don't link my Hotmail and Gmail accounts, so I don't know, but does the Hotmail interface even display stored passwords?
but as that email address was also used as my iTunes login, I wanted to change that password as well.
How much of a problem would that be? Unless, of course, they also had the same password...
So I now had three new passwords – all using slightly different systems – swimming round my slightly inebriated brain, and I can’t even remember the name of my news editor when I’m sober.
That sounds an awful lot like he didn't already have a system for maintaining separate passwords for separate services.
For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun.
Being coy about what his former password was may indicate that the very same password is still in use elsewhere.
In the end: an unauthorized user accessed his Hotmail account, but I'm not seeing any strong evidence that it was Hotmail itself that got compromised.
My MSDOS 3.1 was never hacked or crashed, clearly that was the most stable and secure
The Kruger Dunning explains most post on
It's got the point that its comical, an almost 'oh that Microsoft' quality
think of it from a BYOD mind set.
Now BYOD does have it's own security issues but some think like this makes it worse.
and their new layout sucks. Totally. No colors in labels, screen spacing all wasted, hard to look at.
Meanwhile hotmail HAS improved.
I still prefer gmail, but the difference has narrowed mostly because of gmail's steps backwards into "Apple iTunes ripoff "I'm stupid like your grandma" design concepts. They fucked up something great and made it merely OK.
Hotmail's still sucks in many ways, but their inbox os SO much easier to clean out now, that single improvement makes hotmail easier in many ways to use than gmail.
If gmail were to ditch the shitty "everything has to be big and rounded and words have to disappear and be replaced by vague non-descriptive icons" blech, AND institute cleaning like hotmail,. they'd be miles ahead.
Now... if either took the invention of usenet provider Easynews, and allowed a "ranges" feature, they would be golden. If you use easynews, you know what I mean.
If not, it works like this - take a page of 300 items each with individual selection boxes. Click one near then top, one lower, another lower still, and then one more. Click "select ranges"
You get the whole range between your 1st and 2nd selection selected, items afterward are unselected until your NEXT selection, and those between that and the end selection are selected.
Hard to explain, but it's fucking BRILLIANT. No other site I've seen uses that, and it's fucking GREAT.
This space available.
Wow, dude. Sounds like you really need to relax a bit. Go with the flow.
De-stress or you will beat the last baby boomer to the graveyard. No party for you.
You know how every email program and every other email service in the world lets you quote the email you're replying to with '>' characters or similar, so you can interleave your replies with what you're replying to?
Only Hotmail lacks that feature.
When I get an email from someone that is obviously not really from them, my first thought is not that their email account was hacked. I generally assume someone picked their email address and used it for a false email header. It could have been sent from anywhere by anyone with no access to the real email system it belonged to at all.
I checked the article to get more details. It's hard to tell. What I really wanted to know was, did he check the information in one of these emails and determine that it really was sent from his account on Hotmail.
It seems much more likely to me that it is more likely that someone who would use a 7 character lower case password for their email account would probably use the same password at a multitude of other websites. He's probably used the same password for years.
I used the same password for nearly 10 years over many MMORPG's (and associated websites) before my Hotmail was hacked. Gmail followed shortly after that. There are an awful lot of machines that my password goes through that could be breached.
I still give points to Gmail though. When it was hacked it had a nice red bolded message informing me of the fact that it had been accessed by an IP that was not in my normal IP range. The only clue I had for my Hotmail was the large amount of sent mail and bouncebacks.
I can think lots of ways that his account could have been compromised that wouldn't be Hotmail's fault. I wish there was more details on how he got hacked exactly.
Even if many of microsoft's divisions perform excellently, one division's failure can spell doom for the total user experience.
This has always been my problem with microsoft.
Microsoft is like the GM or GE of the computing world, it's only endearing quality is its sheer massiveness. Nobody likes GE or GM as a whole, (though there are many who love say, an NBC or MSNBC show from GE or the Corvette from GM) though individual divisions can create somewhat brilliant offerings.
Microsoft needs to focus on less things and do them better, or just become a neutral commoditized platform provider and not worry about going toe to toe with the likes of Sony, Google or Apple.
As a user of Windows from version 3.1 hence (and the guy my entire family calls for PC issues) I'm tired of giving microsoft another chance to get it right, a decade of patronage is all I've got, I'm switching to other platforms.
I Hope OS X gets more gamer friendly or Linux gets a bit more driver inclusive.
It's called an integrated user experience... when Microsoft does it, it's cramming products down people throats...
Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes.
Begs the question: Why would anyone who claims to be a "PC Pro" use Windows 8? Or even Windows 7. Or god forbid, Vista.
TFA is an anti-advertisement for "PC Pro", whatever it is, website or pulp.
XPSP3 was the end of the line for Windows. It is the most secure and least intrusive Windows OS for anyone who knows what they are doing.
Just my 2 cents, based on using and maintaining more than a dozen Windows laptops.
Fwiw, I have accounts on both Hotmail and Gmail, from near the inception of each, and neither of them have ever been hacked.
Sounds like he is an idiot who entered his password into some sort of malware. I have used hotmail/msn/xboxlive for a long time and the only people who get fooled into this type of attack are not tech savvy. Usually this type of attack appears from another user on msn who sends you a msg "HEY I POSTED THOSE PICTURES FROM THE PARTY" redirecting you to a fake site login.......which you must enter your msn credentials into. Thus stealing your accounts password. I say its hardly hotmails fault ....more like user error
I'm confused. Your complaints are about Windows 3.11's multitasking (it was co-operative, like almost all multitasking at the time), Windows 95's, which you said was co-operative (it was actually pre-emptive), Wing Commander not working with your graphics drivers (your damn graphics card vendor's fault, not Microsoft), Media Player not playing half your movies (Windows doesn't ship with XviD, or anything like that, partially because it can't), and Vista running like ass on a "1/2 gig machine" (half gig of what? Memory? Processor speed? Either way, way below the minimum requirements).
Basically, your entire post boils down to "Microsoft sucks because I don't know what I'm doing". Well done.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Alright... I loled. Not the usual copy/paste wall of troll text I'm used to seeing.
I'm not completely familiar with Microsoft's password recovery practices, but if recovery is something like 'enter your mom's name' then your password is as strong as your mom's name.
It just takes an extra step.
This is why it's called, "hot" mail. Because most of the active accounts are stolen.
1. Did the attacker brute force/exploit to get into his account, or did he just guess the password? If the password was easy and the attacker guessed it, then it is the editor's fault. If the system was compromised or brute forced then it is completely Microsoft's fault.
2. Was the password commonsense or easily guessable? If you use a stupidly easy password(12345, anyone?) then it is completely your fault. There is no case for "microsoft should have forced a tougher password". It is up to the user to use security properly.
3. Does MS really allow enough attempts that brute forcing would not immediately be noticed and flagged? How many actual users do you think would try to log into their account a couple dozen times per second at least?
4. Doesn't hotmail have any sort of outgoing spam guard? I know on GMail when you try to send certain formatted or link-containing messages to hundreds of people, they check to see if the outgoing mail is spam-like.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
Talk about an epic fail.
The main issue now is, how did it get hacked, as millions of users are using hotmail/live-platform daily without problems.. Maybe the reporter was a bit dumb and put his login-account details on a hazy-website for some reason (like an external importing app, or a maulicious App for his phone/tablet/whatever)..
It's not like an account can be hacked that easily (just as easy as a GMail account could be hacked)..
So the hacking of his account doesn't have anything to do with the service itself..
Microsoft has no fucking clue how to design good software/services.
A bit of a shameless plug, but not too long ago I wrote a blogpost concerning this issue:
http://bartblaze.blogspot.com/2012/04/hacked-hotmail-accounts-and.html
On the 22nd, this happened when I tried it in a VM: log into a disposable hotmail account and open another browser tab. In the new tab, go to lots of disreputable sites such as astalavista.am. And behold: you have been logged out of hotmail. Log back in and note that you now have a bunch of bounce messages from the spam sent by whoever just hijacked your hotmail account.
Perhaps Microsoft fixed it by now. Nonetheless, Hotmail has a long history of incredibly bad exploits, such as when anyone could view anyone else's account by modifying a URL after logging in. I wouldn't trust it.
I remember in the early 2000s they reduced their capacity to 2MB. A few years later Gmail came along with 1 gig - I haven't looked back. I will never ever use hotmail again in my life.
I wouldn't even have got that far with Hotmail.
Like Yahoo, Hotmail has animated ads. I can't concentrate on writing an email with something flashing in the corner of my eye, so that renders it completely unusable for me. If the ads were a little more discreet, like gmail's, I'd use it more - I do use it for a secondary account to avoid the "keeping all eggs in the (google) basket" problem.
I guess adblockers would be the answer, but if a service doesn't want to be usable, why should I use it?
NT 3.51 never had any stability problems for me.
Years ago, my father and I were both astonished to discover that hotmail was supposed to be a legitimate mail service. We'd both received so much porn spam from hotmail addresses (hot mail, right?) and didn't know anyone who actually used it. I can't believe that anyone would intentionally switch to it.
After all, your cries implying Microsoft were innocent are quite insane.
Actually NT4 was better than Windows 2000, but it didn't support USB. NT 3.51 was even better than 4, probably Microsoft's most stable multitasking system ever.
>>>Windows 95's, which you said was co-operative (it was actually pre-emptive)
Only for 32 bit apps, which did not exist at the time. All my apps were still the old 16 bit versions which only ran cooperatively and crashed frequently.
>>>your damn graphics card vendor's fault, not Microsoft
Microsoft in 1995 should have had support nVidia cards... it was only the 2nd most popular brand. AND Microsoft is most certainly to blame for saying Vista can run on 1/2 gig of memory, when that was never the case. As I said it froze-up again and again (hard drive thrashing).
And yes Microsoft sucks. 20 years of using their software, and they are consistently the worst-written programs compared to what other companies have made. But you wouldn't understand because you've probably never tried another OS like Atari TOS or AmigaOS or Classic Mac OS. You have no clue how bad MS truly is, because you're never used anything else.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
Microsoft in 1995 should have had support nVidia cards... it was only the 2nd most popular brand. AND Microsoft is most certainly to blame for saying Vista can run on 1/2 gig of memory, when that was never the case. As I said it froze-up again and again (hard drive thrashing).
Complaining about Windows being too bloated and not being bloated enough in the same paragraph.
*head explodes*
>>>XP was less stable than 2000.
Really? Wasn't XP simply the +0.1 version of Win2000? I would have thought XP would be more stable, like how WinSeven (6.1) is more stable/bugfree than Vista (6.0).
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
To brute force an email address would require at least tens of thousands of attempts and likely several magnitudes more. There is no way this is possible with any email service with timeouts and/or capchas.
But coming down on Hotmail because you're too stupid to either use a complex password on your incredibly well-known email address, or to keep your system clean of keyloggers, is a bit over the line.
XP was notoriously unstable until SP2. The beige box store I worked for at the time stopped selling it because of the support issues it caused. We only went back after SP2 was released.
Actually this is a perfectly valid password if you're testing something compared to an average, non-technical person
It may even be a better password than a common user has... as people often use the name of their firstborn or some stupid crap like that.
Most secure systems I know of will (temporarily) lock an account after a successive number of incorrect login accounts. So assuming his password might be something similar to igotmilk (ok, that's at least 8 chars)... well
If it's a weak password, then either it shouldn't have been allowed in the first place, or the service should have good anti brute-force measures.
Hotmail's not the worse culprit. Many banks I know have password restrictions that you can't even enter special characters if you want to, and passwords must be 8 chars or less.
I never had an issue with DOS crashing...
Just Saying.
I've had no problems with Hotmail but I don't usually use it with Windows which may be why I've had not issues. However, many years ago I had another hotmail account which got totally spammed. I couldn't use it because it filled up with spam so quickly that the small space they allowed back then was full in a matter of hours. If you could log in, you couldn't remove the spam as quickly as it was coming in.
I've been a long time Hotmail user. Just Hotmail, not Live or xbox or anything else. My pw is 7 chars of mixed upper, lower, and numeric. Totally random. And used only for Hotmail. Friday night 3 emails were sent in short succession to my 5 member contact list. Each email contained a link to a separate compromised URL. The emails are still siting in my outbox, so it was not like someone just copied my contact list and spoofed the headers. And they did not change the Hotmail PW or otherwise change any settings. I do not know how they broke in. Virus scans with Avast and AVG came up empty. I've since changed the password, and re-imaged my computers. There must be some exploit making the rounds.