Slashdot Mirror
Microsoft's Hotmail Challenge Backfires
Barence writes "Microsoft challenged the editor of PC Pro to return to Hotmail after six years of using Gmail, to prove that its webmail service had vastly improved — but the challenge backfired when he had his Hotmail account hacked. PC Pro's editor say he was quietly impressed with a number of new Hotmail features, including SkyDrive integration and mailbox clean-up features. He'd even imported his Gmail and contacts into Microsoft's service. But the two-week experiment came to an abrupt end when Hotmail sent a message containing a malicious link to all of his contacts. 'What's even more worrying is that it's not only my webmail that's been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes."
This one's for Jesus, deal with it brothers
The captcha is Majestic
Other than that, would this be an experience you would recommend to others?
Hotmail sent a message containing a malicious link to all of his contacts
It seems to me that it was convincingly demonstrated that Hotmail has a few features that Gmail lacks.
Good job Microsoft!
Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features
So the Marketing department got the green light over the Security department during the development of Windows 8. Naturally, it is the Security department's responsibility to ensure that when the Marketing department does something stupid like linking account credentials between two separate administrative domains, it's Security's responsibility to sprinkle magic fairy dust over it.
Okay, I'd like my $80,000 bonus now, and a letter of resignation from the chief designer of the Windows Live security team please. Also, let the marketing department know that we'll need to find someone to spin the bad press away, you know, the usual crap about it being a beta release and then suing him for violating the NDA that says he can only report positive experiences with the beta.
#fuckbeta #iamslashdot #dicemustdie
From the article (but curiously missing from the summary):
(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)
In other words he used a shitty password and got hit by a dictionary attack. Nothing new or interesting here. Move along.
This shouldn't affect his opinion of Hotmail at all...
Or did he just use a crappy password or have malware already on his computer? I know it's popular to bash MS, and I dislike the account convergence we are rapidly screaming towards, but blaming the service when it was more likely that he created the vulnerability is just tacky.
From the story: 'For those of you inquiring about the strength of my Hotmail password - it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun.'
I smell that I am not getting quite the full story here...
Some how this reminds me the glorious 90s, when music was great, anime looked the best, and Hotmail became my first web email account I had ever used...
Stop making your password "notpassword"!
So, a fairly public persona publicly announces that he's switching to Hotmail to give it a go. And has a weak-sauce password:
(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)
And somehow this is Microsoft fault? He's just asking to be hacked, and with a weak password like this? *sigh*
In other news it's my home builders fault that I left my keys in my door and I was robbed.
Everyone that disagrees with me is a paid shill
It's only recently (Nov. 2010) that hotmail even had the option of using SSL:
http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/09/hotmail-security-improves-with-full-session-https-encryption.aspx
And SSL still isn't the default option for hotmail.
Gmail at least had the option for SSL for many many years, and google made SSL the default a few years back (after they got hacked by the Chinese).
Hotmail login same as windows log on and windows store with CC? WOW windows 8 may flop so bad that they have to have a windows 9 next year or a windows 7.5
(and got modded -1). I think this story proves what I was saying:
Try "Skydrive? [Or hotmail?]
"One word:
"Microsoft.
"How many chances am I supposed to give this company? They've let me down almost every time... the earliest being when I tried to multitask in Windows 3 and 95, but it hung the system repeatedly (cooperative tasking sucks). Then I tried to play Wing Commander and it refused to run due to graphics-card incompatibilities/broken drivers. I ended-up playing the Commodore Amiga version instead (just plug'n'play). More recently MS media player refuses to execute half the movies I throw at it [.....] Windows XP was the first stable OS to come out of that company, so I had high hopes they had turned around... but then I experienced Vista on my brother's brand-new 1/2 gig machine. It was ass..... random freeze-ups for 2-3 minutes.
"Better to avoid MS as much as possible......" No to Hotmail.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
Why is this in idle? After that blatant dupe earlier...
You are grounded!
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Most people I help or talk with have been hacked on hotmail. Microsoft must have no security, I've been hearing about hotmail hacks for a long time. Suggestion, don't use hotmail :-) Very unsecure
LastPass
http://www.lastpass.com
MS is continually bashed for security reasons, and mocked for being a virus spreading engine etc etc. Those who continually make such silly and baseless allegations, as evidenced by the story above, don't even once think about the alternatives and THEIR security problems.
After dumping Windows and MS products in general a few years ago, I have had a first hand hard lesson in the probelms of 'alternative' OSes, if you can call them that. My problems have been nearly unending since switching to Linux, I mean just last month, or was it the month before, my laptop crashed. This wasn't the first time either, it routinely happens 2-3 times a year.
Think about it people, if you don't use MS, you might not have horrific security problems that compromise all conected devices and identities, but you may have to suffer through a similar fate to me. Be careful what you ask for, and THINK before you whine in public.
-Charlie
"...forcing me to include a capital letter, a number, a set number of characters and a symbol from the Ancient Greek alphabet (I exaggerate only slightly)."
His password was most likely 'editors' and is wondering how he was "hacked". It really is sad that such a fool can post news about the security, or lack thereof, of Microsoft's Hotmail service.
...perhaps this will light a fire under Microsoft to get their system a bit more secure (in spite of weak passwords like the one the guy used), and not allow things like spamming all contacts without some second-source notification/response, or some other easy to implement blocks to this sort of behavior.
And the result for consumers will be a more robust system in general (Microsoft Account/WindowsLiveID, as well as HotMail, Win8, XBoxLive, etc).
Failures often spur innovation and improvement. They're not always a bad thing (though this one is particularly embarassing, it may be just that level of embarassment that drives the motiviation to work on solutions to the problem).
- Spryguy
There are three kinds of people in this world: those that can count and those that can't
That is all.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
http://xkcd.com/936/
Truth be told the passwords we actively encourage are no stronger than what he used.
If you want a really strong password, use a sentence of random words. Password length matters far more than password content - this is a simply provable fact - too bad hardly anybody in security realizes it.
Unicode killed the ASCII-art *
This is not the first time I hear about a hotmail account being hacked to send malicious links. I had a few friends with the same problem, always hotmail. It's possible there is a serious security problem with the service. And even if there isn't, logic should be in place to suspend account who start mass emailing their contact lists with suspicious links, it shouldn't be that hard to stop.
I guess this is his wah! wah! moment but i am not buying it. Why were running windows 8? I saw some noob running on his main computer the other day and I was tempted to tell him to uninstall it but I let sleeping dogs do their thing. An editor at pcmag should know better no sympathy from me.
http://www.overtecno.com.br/wp-content/uploads/2011/03/nelson-simpsons-ah-ah-420x261.jpg
Keep an out out for a handful of talking points repeated with similar words and phrases.
I'd never seen so much shilling for skydrive since that last post about Google's new data locker service.
His password is 7 lower case characters. It's a wonder his GMail account wasn't hacked ages ago.
Hotmail's default isn't SSL as far i know, and their chat service isn't ssl or encrypted or even able to run encrypted ( unlike google's chat/XMPP). So it isn't exactly safe, not long ago someone was trying an dictionary attack of some sort for days on my MSN messenger account as it prevented me from logging in due to "too many password attempts" . ( when i had not been the one doing those attempts.)
I had the same issue last night. Strong password, not logged into hotmail itself in months. Looks more like a breach than anything else.
The only place I've used the password is in MSN in pidgin, I'm considering doing at least a cursory audit of pidgin.
Probably upwards of 20 times in the past year I have heard co-workers, acquaintances, relatives and others bleat "My Email Account Got Hacked!". These folks included AOL, Gmail and Hotmail users.
They didn't get hacked. They were naive. They got hoodwinked. They gave up information to some trojan or phishing email or keylogger. And, yes, meny were using the same weak or semi-weak password on multiple sites including their email and Facebook and Amazon and such. They were for the most part completely oblivious that doing that was a Bad Idea.
I am about as far from a Microsoft fan or apologist as it is reasonable to be. I'll also allow that there may be problems in the Hotmail and Live! monoculture (that I am not the world's expert on as I don't use them). But when I read the author admit that he used a fairly weak 7-character, all-lower-case password how can I give this story any credit? Doesn't sound like a very diligent techie to me. Rather, it makes me wonder where else he used that password.
Delete your damn e-mail when you are done with it. Stop raping everyone's privacy.
I’d also set up Hotmail to import all my Gmail and its associated contacts. Not to mention the Facebook and LinkedIn contacts that Hotmail merges into your online address book.
Meaning that all these online services contained the password information for all the other services. Even if different passwords were used for each, the linkages between them all would allow a chain reaction if just one was compromised.
In fact, in the screenshot, I note he has an email about his Google account password being changed. I don't link my Hotmail and Gmail accounts, so I don't know, but does the Hotmail interface even display stored passwords?
but as that email address was also used as my iTunes login, I wanted to change that password as well.
How much of a problem would that be? Unless, of course, they also had the same password...
So I now had three new passwords – all using slightly different systems – swimming round my slightly inebriated brain, and I can’t even remember the name of my news editor when I’m sober.
That sounds an awful lot like he didn't already have a system for maintaining separate passwords for separate services.
For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun.
Being coy about what his former password was may indicate that the very same password is still in use elsewhere.
In the end: an unauthorized user accessed his Hotmail account, but I'm not seeing any strong evidence that it was Hotmail itself that got compromised.
It's got the point that its comical, an almost 'oh that Microsoft' quality
think of it from a BYOD mind set.
Now BYOD does have it's own security issues but some think like this makes it worse.
The USA without the Baby Boomers would be like a dog without bricks tied to its head.
When the last Baby Boomer croaks the USA will enter into a new era of prosperity.
They're so goddamned self-centered they routinely drive 10-20 below the speed limit, hold up everyone trying to get to work partly to pay for their precious Social Security, and can't understand why that's a problem. And being frivolous and self-important, they're too "good" to pull over and let the long line of cars stuck behind them to pass even though those people are getting to work, have a clock to beat, and the old fart doesn't.
If you work a service job because in this economy you are thankful to have any regular work at all, you know that to the Baby Boomers, every service person is their own personal butler. You'll have noticed that when they ask you where something is, they are usually standing in front of it. They certainly can read because they can absolutely read your nametag, even though it's a much smaller font than the big sign for the item they wanted to find. Being self-centered it would not occur to them to make even a token effort to look around (i.e. swivel their neck about 15 degrees, such horrible effort I know) before requesting that you drop everything you are doing and assist them. You know, like any decent person who doesn't think they're better than you would do.
They don't talk to you, they talk *at* you. I've had them whistle at me like I am a dog and note I have never seen anyone other than a Baby Boomer who was so eager to be degrading like this. They will try to monopolize service personel and try to talk for 20 minutes to complete strangers about their grandkids, not because they think you care or are involved in any way, but because they love to abuse a captive audience that fears for their job too much to tell them to fuck off. They will do that instead of wondering if there might be good reasons why their kids and grandkids don't visit them, because that line of inquiry might lead to admitting fault, and they're too much better than you to do that. They love to complain about everything even when they know the employee they complain to has no control over high-level company decisions like which products are offered for sale.
With few exceptions they've regressed and have become little more than overgrown two-year-olds. They are bankrupting the country. They vote in huge blocs for all the wrong people, greatly contributing to the political mess we have today. They run homeowner's associations so they can take neighbors to court over such important matters as the color of paint. They are one of the biggest reasons why marijuana remains illegal and otherwise love to use law like a cudgel to beat you over the head with their own brand of morality, that you follow or be punished. They tend to be real big law-and-order types even in situations where there can be no victim because it is all consenting adults.
When the last Baby Boomer dies I intend to throw a huge block party. The theme will be IT'S FINALLY OVER! Get over your idealized image of sweet old inoffensive Grandma because they hide behind that to manipulate your emotions so you feel afraid to admit how pathetic and selfish they are. That same "sweet" old Grandma will turn into MegaBitch the instant you cannot do exactly what she demands. Dunno about you people but I don't believe in false images.
The above applies to all but a few of them. A few of them actually have character traits like patience and wisdom and intellectual independence to show for the great deal of time they have lived on this planet. Those are precious and I treat them with great respect and do whatever I can for them. The other 95% just plain suck and are a total drain on society, both financially and at the interpersonal level.
The USA without the Baby Boomers is like a dog without a stack of bricks tied to its head.
and their new layout sucks. Totally. No colors in labels, screen spacing all wasted, hard to look at.
Meanwhile hotmail HAS improved.
I still prefer gmail, but the difference has narrowed mostly because of gmail's steps backwards into "Apple iTunes ripoff "I'm stupid like your grandma" design concepts. They fucked up something great and made it merely OK.
Hotmail's still sucks in many ways, but their inbox os SO much easier to clean out now, that single improvement makes hotmail easier in many ways to use than gmail.
If gmail were to ditch the shitty "everything has to be big and rounded and words have to disappear and be replaced by vague non-descriptive icons" blech, AND institute cleaning like hotmail,. they'd be miles ahead.
Now... if either took the invention of usenet provider Easynews, and allowed a "ranges" feature, they would be golden. If you use easynews, you know what I mean.
If not, it works like this - take a page of 300 items each with individual selection boxes. Click one near then top, one lower, another lower still, and then one more. Click "select ranges"
You get the whole range between your 1st and 2nd selection selected, items afterward are unselected until your NEXT selection, and those between that and the end selection are selected.
Hard to explain, but it's fucking BRILLIANT. No other site I've seen uses that, and it's fucking GREAT.
This space available.
You know how every email program and every other email service in the world lets you quote the email you're replying to with '>' characters or similar, so you can interleave your replies with what you're replying to?
Only Hotmail lacks that feature.
When I get an email from someone that is obviously not really from them, my first thought is not that their email account was hacked. I generally assume someone picked their email address and used it for a false email header. It could have been sent from anywhere by anyone with no access to the real email system it belonged to at all.
I checked the article to get more details. It's hard to tell. What I really wanted to know was, did he check the information in one of these emails and determine that it really was sent from his account on Hotmail.
It seems much more likely to me that it is more likely that someone who would use a 7 character lower case password for their email account would probably use the same password at a multitude of other websites. He's probably used the same password for years.
I used the same password for nearly 10 years over many MMORPG's (and associated websites) before my Hotmail was hacked. Gmail followed shortly after that. There are an awful lot of machines that my password goes through that could be breached.
I still give points to Gmail though. When it was hacked it had a nice red bolded message informing me of the fact that it had been accessed by an IP that was not in my normal IP range. The only clue I had for my Hotmail was the large amount of sent mail and bouncebacks.
I can think lots of ways that his account could have been compromised that wouldn't be Hotmail's fault. I wish there was more details on how he got hacked exactly.
Even if many of microsoft's divisions perform excellently, one division's failure can spell doom for the total user experience.
This has always been my problem with microsoft.
Microsoft is like the GM or GE of the computing world, it's only endearing quality is its sheer massiveness. Nobody likes GE or GM as a whole, (though there are many who love say, an NBC or MSNBC show from GE or the Corvette from GM) though individual divisions can create somewhat brilliant offerings.
Microsoft needs to focus on less things and do them better, or just become a neutral commoditized platform provider and not worry about going toe to toe with the likes of Sony, Google or Apple.
As a user of Windows from version 3.1 hence (and the guy my entire family calls for PC issues) I'm tired of giving microsoft another chance to get it right, a decade of patronage is all I've got, I'm switching to other platforms.
I Hope OS X gets more gamer friendly or Linux gets a bit more driver inclusive.
It's called an integrated user experience... when Microsoft does it, it's cramming products down people throats...
Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes.
Begs the question: Why would anyone who claims to be a "PC Pro" use Windows 8? Or even Windows 7. Or god forbid, Vista.
TFA is an anti-advertisement for "PC Pro", whatever it is, website or pulp.
XPSP3 was the end of the line for Windows. It is the most secure and least intrusive Windows OS for anyone who knows what they are doing.
Just my 2 cents, based on using and maintaining more than a dozen Windows laptops.
Fwiw, I have accounts on both Hotmail and Gmail, from near the inception of each, and neither of them have ever been hacked.
Sounds like he is an idiot who entered his password into some sort of malware. I have used hotmail/msn/xboxlive for a long time and the only people who get fooled into this type of attack are not tech savvy. Usually this type of attack appears from another user on msn who sends you a msg "HEY I POSTED THOSE PICTURES FROM THE PARTY" redirecting you to a fake site login.......which you must enter your msn credentials into. Thus stealing your accounts password. I say its hardly hotmails fault ....more like user error
I'm not completely familiar with Microsoft's password recovery practices, but if recovery is something like 'enter your mom's name' then your password is as strong as your mom's name.
It just takes an extra step.
This is why it's called, "hot" mail. Because most of the active accounts are stolen.
1. Did the attacker brute force/exploit to get into his account, or did he just guess the password? If the password was easy and the attacker guessed it, then it is the editor's fault. If the system was compromised or brute forced then it is completely Microsoft's fault.
2. Was the password commonsense or easily guessable? If you use a stupidly easy password(12345, anyone?) then it is completely your fault. There is no case for "microsoft should have forced a tougher password". It is up to the user to use security properly.
3. Does MS really allow enough attempts that brute forcing would not immediately be noticed and flagged? How many actual users do you think would try to log into their account a couple dozen times per second at least?
4. Doesn't hotmail have any sort of outgoing spam guard? I know on GMail when you try to send certain formatted or link-containing messages to hundreds of people, they check to see if the outgoing mail is spam-like.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
Talk about an epic fail.
The main issue now is, how did it get hacked, as millions of users are using hotmail/live-platform daily without problems.. Maybe the reporter was a bit dumb and put his login-account details on a hazy-website for some reason (like an external importing app, or a maulicious App for his phone/tablet/whatever)..
It's not like an account can be hacked that easily (just as easy as a GMail account could be hacked)..
So the hacking of his account doesn't have anything to do with the service itself..
Microsoft has no fucking clue how to design good software/services.
A bit of a shameless plug, but not too long ago I wrote a blogpost concerning this issue:
http://bartblaze.blogspot.com/2012/04/hacked-hotmail-accounts-and.html
On the 22nd, this happened when I tried it in a VM: log into a disposable hotmail account and open another browser tab. In the new tab, go to lots of disreputable sites such as astalavista.am. And behold: you have been logged out of hotmail. Log back in and note that you now have a bunch of bounce messages from the spam sent by whoever just hijacked your hotmail account.
Perhaps Microsoft fixed it by now. Nonetheless, Hotmail has a long history of incredibly bad exploits, such as when anyone could view anyone else's account by modifying a URL after logging in. I wouldn't trust it.
I remember in the early 2000s they reduced their capacity to 2MB. A few years later Gmail came along with 1 gig - I haven't looked back. I will never ever use hotmail again in my life.
I wouldn't even have got that far with Hotmail.
Like Yahoo, Hotmail has animated ads. I can't concentrate on writing an email with something flashing in the corner of my eye, so that renders it completely unusable for me. If the ads were a little more discreet, like gmail's, I'd use it more - I do use it for a secondary account to avoid the "keeping all eggs in the (google) basket" problem.
I guess adblockers would be the answer, but if a service doesn't want to be usable, why should I use it?
Years ago, my father and I were both astonished to discover that hotmail was supposed to be a legitimate mail service. We'd both received so much porn spam from hotmail addresses (hot mail, right?) and didn't know anyone who actually used it. I can't believe that anyone would intentionally switch to it.
After all, your cries implying Microsoft were innocent are quite insane.
To brute force an email address would require at least tens of thousands of attempts and likely several magnitudes more. There is no way this is possible with any email service with timeouts and/or capchas.
But coming down on Hotmail because you're too stupid to either use a complex password on your incredibly well-known email address, or to keep your system clean of keyloggers, is a bit over the line.
Actually this is a perfectly valid password if you're testing something compared to an average, non-technical person
It may even be a better password than a common user has... as people often use the name of their firstborn or some stupid crap like that.
Most secure systems I know of will (temporarily) lock an account after a successive number of incorrect login accounts. So assuming his password might be something similar to igotmilk (ok, that's at least 8 chars)... well
If it's a weak password, then either it shouldn't have been allowed in the first place, or the service should have good anti brute-force measures.
Hotmail's not the worse culprit. Many banks I know have password restrictions that you can't even enter special characters if you want to, and passwords must be 8 chars or less.
I've had no problems with Hotmail but I don't usually use it with Windows which may be why I've had not issues. However, many years ago I had another hotmail account which got totally spammed. I couldn't use it because it filled up with spam so quickly that the small space they allowed back then was full in a matter of hours. If you could log in, you couldn't remove the spam as quickly as it was coming in.
I've been a long time Hotmail user. Just Hotmail, not Live or xbox or anything else. My pw is 7 chars of mixed upper, lower, and numeric. Totally random. And used only for Hotmail. Friday night 3 emails were sent in short succession to my 5 member contact list. Each email contained a link to a separate compromised URL. The emails are still siting in my outbox, so it was not like someone just copied my contact list and spoofed the headers. And they did not change the Hotmail PW or otherwise change any settings. I do not know how they broke in. Virus scans with Avast and AVG came up empty. I've since changed the password, and re-imaged my computers. There must be some exploit making the rounds.