Slashdot Mirror
Microsoft's Hotmail Challenge Backfires
Barence writes "Microsoft challenged the editor of PC Pro to return to Hotmail after six years of using Gmail, to prove that its webmail service had vastly improved — but the challenge backfired when he had his Hotmail account hacked. PC Pro's editor say he was quietly impressed with a number of new Hotmail features, including SkyDrive integration and mailbox clean-up features. He'd even imported his Gmail and contacts into Microsoft's service. But the two-week experiment came to an abrupt end when Hotmail sent a message containing a malicious link to all of his contacts. 'What's even more worrying is that it's not only my webmail that's been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes."
Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features
So the Marketing department got the green light over the Security department during the development of Windows 8. Naturally, it is the Security department's responsibility to ensure that when the Marketing department does something stupid like linking account credentials between two separate administrative domains, it's Security's responsibility to sprinkle magic fairy dust over it.
Okay, I'd like my $80,000 bonus now, and a letter of resignation from the chief designer of the Windows Live security team please. Also, let the marketing department know that we'll need to find someone to spin the bad press away, you know, the usual crap about it being a beta release and then suing him for violating the NDA that says he can only report positive experiences with the beta.
#fuckbeta #iamslashdot #dicemustdie
I actually feel sorry for M$ on this. They tried so hard and genuinely improved the service and this happens. Still hilarious though.
To offset political mods, replace Flamebait with Insightful.
Or did he just use a crappy password or have malware already on his computer? I know it's popular to bash MS, and I dislike the account convergence we are rapidly screaming towards, but blaming the service when it was more likely that he created the vulnerability is just tacky.
Could be any of those things, or all of those things. In a fully Microsoft monoculture of shared architecture and sloppy security practices, it only takes one weak link to break the whole chain.
No way that a web-based service should allow that sort of dictionary attack to succeed. It's not too hard to deliberately spend a sufficiently long time authenticating someone (especially if there have been a bunch of password failures recently on the account / from that IP) that dictionary attacks become unfeasible; it's not like you get to attack the hash. (Look at Wikpedia, for instance, where three login failures cause you to need to fill in a CAPTCHA to log in.)
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
His password is 7 lower case characters. It's a wonder his GMail account wasn't hacked ages ago.
... well then ... it's a damn good thing that almost all Windows users are business users then! You know ... because regular folks would probably sacrifice security for usability if they even knew that was what they were doing. Thank God there aren't many of those types with 'puters connecting their tubes to the Internet!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Hotmail login same as windows log on and windows store with CC? WOW windows 8 may flop so bad that they have to have a windows 9 next year or a windows 7.5
It won't have any domain authentication, no group policy, and not much as far as granular security (obviously). No, it was dead on arrival as far as business use is concerned, and Microsoft has already stated as much. Apparently Microsoft Bob, Windows ME, etc., and now Windows 8 demonstrates that Microsoft will continue its "Trek" release schedule; You know, that whole odd-even thing. :\
#fuckbeta #iamslashdot #dicemustdie
What makes you think deleting the email account that minute would have made the slightest difference?
They got in, skimmed it for the contact list, and they are done.
They don't actually need access to your account to send email masquerading as being from you to spam your contacts from then on.
If you drove a Lexus, then why did you switch to the Yugo? The only serious answer that you can give is that the old-Lexus brand that you knew had failed.
There are plenty of flavors of Linux, BSD and even Mac OS X if that floats your boat. Being "stuck" with Windows is your own fault, or you if it has applications that you require, then whose fault is that (hint: not the company that wrote the operating system)?
And even if there isn't, logic should be in place to suspend account who start mass emailing their contact lists with suspicious links, it shouldn't be that hard to stop.
The same thing was mentioned above, but all a hacker needs is the contact list. They can spoof your email address and bypass Microsoft entirely afterwards. Of course the same is true of all email providers.
This would hold water if Microsoft weren't a convicted monopolist.
They did some things right -- they gambled on backwards compatibility at expense of efficiency and won big-time. But they pulled a lot of dirty tricks, too, and their market position partly reflects that.
Well, GPU cracking is something like 500 million hashes / sec = 2^29 hashes/sec. Four words out of a 2k-word dictionary (which is small), selected randomly, is a space of 2^44 passwords. That's about 9 GPU-hours, which is not good. Adding a fifth word increases this to roughly 2 GPU-years (a factor of 2^11). Adding numbers in between the four words increases the password space by about 2^5, which is something (~300 GPU-hours) but is not really substantial. (A sixth work makes it 4000ish GPU-years, which is starting to get really cost prohibitive.)
More effective, really, is for people storing passwords to increase the cost of computing hashes. If you use something like HMAC, both cracking time and password verification time scale linearly in the number of rounds. Client-side, this is easy. Well-designed modern encryption software, for example, uses enough rounds in password-based key derivation that it takes on the order of a second to compute. That's roughly a million rounds, so password cracking against a 4-word password at 500 Mhashes/sec increases from 9 GPU-hours to 1000 GPU-years. Server-side, password verification is more expensive, but even using thousands of rounds of SHA1 over one round of MD5 is a huge security increase.
Unfortunately, the end user has little control (or even knowledge) of how passwords are stored server-side.
Agreed. Unless the hacker exploited a flaw in Hotmail to get the login credentials or it was obtained from some other Microsoft service (highly doubtful), then really it could be the editors fault for either having an easily guessable password (the same as he luggage perhaps), or logging in from a computer that had been rooted and was key logging or whatever.
http://xkcd.com/936/
Truth be told the passwords we actively encourage are no stronger than what he used. If you want a really strong password, use a sentence of random words. Password length matters far more than password content - this is a simply provable fact - too bad hardly anybody in security realizes it.
That XKCD strip is consistently misunderstood. Random words aren't more secure than a sequence of random letters, numbers and symbols. For example, a random sequence of seven letters (mixed case), symbols (assume 10 of them) and numbers has the same amount of entropy as the four dictionary words Munroe mentions. Eight characters is signficantly stronger and four words. "Length matters more than content" is an oversimplification to the point of meaninglessness. Arguably, Munroe's example is shorter, since it's a sequence of four randomly-chosen symbols, rather than seven or eight. It's just that the symbols are chosen from a larger set (2048 vs 72).
The point of the strip is that, for most people, the sequence of words provides a strong password that is easier to remember. If remembering your password is your problem, then a sequence of random words is a good solution (but don't fall for the temptation to pick a favorite sentence). However, Munroe's example is almost four times as many letters to type -- call it three times as many keystrokes after accounting for the need to hit the shift key a few times in a random character sequence. Even worse, the fact is that many (lame) authentication systems won't accept very long passwords. In many ways multi-word passwords are impractical.
Personally I optimize for ease of typing, not ease of memorization. I use my most important passwords sufficiently frequently that remembering them is no problem, but being able to type them quickly and accurately can be. I use a random password generator to generate a random 10-character sequence, then I permute it for ease of typing. Permuting in a fairly predictable way (grouping shifted characters and arranging to alternate touch-typing hands between pairs of characters) reduces the entropy a little, which is why I generate 10 characters rather than eight or nine.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
From the article:
Yeah, not a very strong password. What the hell was he thinking? At least mix case and have one number. Passwords I use have mixed case, numbers and symbols in it so it's not so easy to guess.
Why would a moderate strength password not be enough ? I am sure even MS rate-limits login attempts. And if someone got root to Hotmail servers you are screwed anyway.
I'll third that. I was appalled with the editors attitude to paswords.
2. He was shocked one of his services had woken up and hardened its password policy [FAIL - you should be encouraging this kind of behaviour, not dissing it - I'm pissed when I'm _not_ allowed to use special characters]
3. He obviously has no password managment plans [FAIL - If I had to replace every single one of my passwords today it would be a hasstle but there would be no chance of me not being able to recover accounts the next day]
I feel less inteligent after having read this article... help me!
Can a person program a new solution to a problem? Why should anyone be able to stop such a thing? -Richard Stallman
Don't, they have done it to them selves. If Microsoft stopped forcing it's own software down your throat and gave users choice they would have better products. Windows 8? You need to use your windows live account, check your email through Live messenger, you want to use Internet explorer, don't you. Also your default search is Bing, whoops you changed that to Google, lets change that back to Bing because you fucking love Bing, don't you? Don't you!?!
Sometime when products work together they work better but sometimes you need separation between your accounts. If I have an Xbox live account I may want my credit card on there to buy things but if I also have a hotmail account, I may have zero reason for hotmail to have my credit card number. Maybe I want them linked together and to share data and maybe I want them worlds apart and not even know the other exists. Just give me a fucking choice.
The monopoly part was for pushing their browser, not the operating system. Besides, it happened over a decade ago and you are still going on about that bullshit? Give it a rest. No one cares or even remembers (clearly you don't).
People do care and do remember, because their OS monopoly is what allowed them to gain a browser monopoly and set the web back several years. They did leverage their position to ensure that non-Microsoft OSes were not distributed on OEM PCs, particularly BeOS which they threatened HP over.
Please don't shill for Microsoft.
I feel less inteligent after having read this article... help me!
And yet everything you listed is typical of regular users and hotmail's target audience is regular users. The author may be a dolt because he failed to apply the expertise that is a requirement of his job, but when you have to be an expert to properly use a consumer-grade service, the real problem lies squarely with the service, not the user.
When information is power, privacy is freedom.
Does it matter if it is "weak" or not? Unless the hackers compromised hotmail's password file and is busily trying to crack it, it is irrelevant.
What is relevant is that hotmail is apparently open to being bruteforced. Now, *THAT* is a fail.
How is it the services fault if the user uses the same password on all services?
Using the same password everywhere is what normal people do. Not because they are stupid, but because password authentication systems simply do not scale. Normal people can handle 2 or 3 different passwords at most. Expecting normal people to keep track of 5+ unique passwords is a losing proposition.
When information is power, privacy is freedom.