Microsoft's Hotmail Challenge Backfires

← Back to Stories (view on slashdot.org)

Microsoft's Hotmail Challenge Backfires

Posted by samzenpus on Wednesday April 25, 2012 @09:50AM from the not-the-desired-outcome dept.

Barence writes "Microsoft challenged the editor of PC Pro to return to Hotmail after six years of using Gmail, to prove that its webmail service had vastly improved — but the challenge backfired when he had his Hotmail account hacked. PC Pro's editor say he was quietly impressed with a number of new Hotmail features, including SkyDrive integration and mailbox clean-up features. He'd even imported his Gmail and contacts into Microsoft's service. But the two-week experiment came to an abrupt end when Hotmail sent a message containing a malicious link to all of his contacts. 'What's even more worrying is that it's not only my webmail that's been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes."

93 of 453 comments (clear)

Yes, but other than that, how did you like it? by Anonymous Coward · 2012-04-25 09:55 · Score: 5, Funny

Other than that, would this be an experience you would recommend to others?
1. Re:Yes, but other than that, how did you like it? by masternerdguy · 2012-04-25 09:56 · Score: 4, Insightful
  
  I actually feel sorry for M$ on this. They tried so hard and genuinely improved the service and this happens. Still hilarious though.
  
  --
  To offset political mods, replace Flamebait with Insightful.
2. Re:Yes, but other than that, how did you like it? by cratermoon · 2012-04-25 10:03 · Score: 3, Funny
  
  Obligatory: Other than that, Mrs. Lincoln, how did you like the play?
3. Re:Yes, but other than that, how did you like it? by devitto · 2012-04-25 10:14 · Score: 4, Funny
  
  Other than that, would this be an experience you would recommend to others?
  I can't see why Playstation owners wouldn't migrate.
4. Re:Yes, but other than that, how did you like it? by AngryDeuce · 2012-04-25 10:20 · Score: 5, Informative
  
  It's funny, but that was exactly the same thing that convinced me to leave Hotmail once and for all 2 years ago, and I'd had the same Hotmail email address since before Microsoft even bought it back in the late 90's.
  The thing that really pissed me off was that, when I contacted Microsoft and told them I got hacked and requested they delete the account, they flat out refused to do so, and told me I'd just have to wait until it was deleted due to inactivity. Because I'd had that email address for so long, I had literally hundreds of contacts that got hit with spam messages (to include former employers and companies that I had job applications on file for, how embarrassing THAT was). I wanted the email address dead so that I didn't have to worry about it happening again in 8 months, but apparently that was just too much to ask. My password was not some ridiculous '123456', either, it was a non-dictionary stream of mixed-case letters with numbers and special characters, so simply changing the password was not a satisfactory course of action in my opinion (and I told them that), but of course, what the hell can I do when they just say "no"? Sue them? I wish I had that kind of time and money. For all I know, they could have hacked the email again and reset the clock, but I made sure to delete every contact, set the inbox to exclusive, and set it to delete junk immediately upon receipt before I abandoned the account, so if the assholes manage to steal it again, it won't be much use to them.
  The Xbox Live people were much, much more helpful with migrating my account to Gmail. For the days it took for the Live Mail team to respond to me, I was squared away in minutes with the XBL rep, and we even ended up bullshitting about old school video games for like 25 minutes afterwards.
  Funny how much different two arms of the same fucking company can be.
5. Re:Yes, but other than that, how did you like it? by vux984 · 2012-04-25 10:30 · Score: 4, Insightful
  
  What makes you think deleting the email account that minute would have made the slightest difference?
  They got in, skimmed it for the contact list, and they are done.
  They don't actually need access to your account to send email masquerading as being from you to spam your contacts from then on.
6. Re:Yes, but other than that, how did you like it? by PickyH3D · 2012-04-25 10:50 · Score: 4, Insightful
  
  If you drove a Lexus, then why did you switch to the Yugo? The only serious answer that you can give is that the old-Lexus brand that you knew had failed.
  There are plenty of flavors of Linux, BSD and even Mac OS X if that floats your boat. Being "stuck" with Windows is your own fault, or you if it has applications that you require, then whose fault is that (hint: not the company that wrote the operating system)?
7. Re:Yes, but other than that, how did you like it? by AngryDeuce · 2012-04-25 11:07 · Score: 2
  
  It's possible, but I honestly doubt it. I've been a long time adblock/noscript user, do regular OS reinstalls, have browsers set to automatically delete cookies and shit on close, run CCleaner nightly before shut down, and install a new piece of software at all maybe once a month, if even that. Not to say those behaviors are an impenetrable shield or anything, but I feel I'm reasonably careful on the net.
  The fact that none of the other email addresses were compromised leads me to believe they managed to puzzle out my password, but I honestly don't know how. Either way, the point is moot...all I wanted was for Microsoft to close the fucking account and they just would not. I really don't understand why they couldn't just delete the email address completely. I was the verified owned of the account, I had to give them all the info to even open the ticket in the first place...how hard could it have been? Even if I wasn't hacked and just wanted to close the damn account, what right do they have to tell me "no"? It's my damn email for fuck's sake, I created that account before it was even a Microsoft property...
8. Re:Yes, but other than that, how did you like it? by FrootLoops · 2012-04-25 11:09 · Score: 5, Interesting
  
  How is this Microsoft's problem? The possibilities are...
  (1) A guy writing articles about his new email address used a relatively weak password and someone guessed it
  (2) He logged in on a compromised machine
  (3) Microsoft has a genuine security problem
  The guy leaped right to (3), which seems the least likely to me. Since "my PC login" has also been compromised, (2) seems right. I can't help but feel this would have been pointed out long ago if the service were Gmail instead of Hotmail.
  Before it gets quoted back to me, he justified (3) by saying
  
  although I have to say from anecdotal evidence that Hotmail seems far more susceptible to account hijacking than Gmail.
  That's a very weak argument--it's based on anecdotal evidence and ignores possible differences between user populations. You'd think the editor of a magazine would take the time to write a thorough article instead of a knee-jerk one.
9. Re:Yes, but other than that, how did you like it? by PaladinAlpha · 2012-04-25 11:30 · Score: 4, Insightful
  
  This would hold water if Microsoft weren't a convicted monopolist.
  They did some things right -- they gambled on backwards compatibility at expense of efficiency and won big-time. But they pulled a lot of dirty tricks, too, and their market position partly reflects that.
10. Re:Yes, but other than that, how did you like it? by danomac · 2012-04-25 11:32 · Score: 2
  
  From the article:
  
  Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.
  Yeah, not a very strong password. What the hell was he thinking? At least mix case and have one number. Passwords I use have mixed case, numbers and symbols in it so it's not so easy to guess.
11. Re:Yes, but other than that, how did you like it? by sortadan · 2012-04-25 11:39 · Score: 5, Insightful
  
  Agreed. Unless the hacker exploited a flaw in Hotmail to get the login credentials or it was obtained from some other Microsoft service (highly doubtful), then really it could be the editors fault for either having an easily guessable password (the same as he luggage perhaps), or logging in from a computer that had been rooted and was key logging or whatever.
12. Re:Yes, but other than that, how did you like it? by sjames · 2012-04-25 11:59 · Score: 2, Funny
  
  Other than that, Mrs. Lincoln, how was the play?
13. Re:Yes, but other than that, how did you like it? by hairyfeet · 2012-04-25 12:03 · Score: 3, Informative
  
  This is also very informative, at least for me, as it gives me one more reason to avoid Win 8 as i had no idea everything in their new appstore was tied to hotmail. So Barance thanks for submitting this article, most grateful. Sorry about the poor bastard that tried Hotmail and got pwned but there is a good reason why many of us avoid hotmail like the clap.
  as for feeling sorry for MSFT? the only thing I feel sorry for them for is they are stuck between a rock and a hard place, but that was their own design and shortsightedness so i am having trouble feeling sorry for it. What I mean is that they really need a hold in mobile because the desktop is mature tech and won't be gaining anymore but the only reason people buy Windows is for Windows programs which of course don't run on anything but x86. But of course this is their own fault as Cutler originally designed WinNT to be portable and if they would have maintained that focus instead of going Wintel they wouldn't be screwed out of mobile as they are now as the Windows programs could have run on ARM, or MIPS, or any other chip.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
14. Re:Yes, but other than that, how did you like it? by Ruie · 2012-04-25 12:29 · Score: 3, Insightful
  
  From the article:
  
  Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.
  Yeah, not a very strong password. What the hell was he thinking? At least mix case and have one number. Passwords I use have mixed case, numbers and symbols in it so it's not so easy to guess.
  Why would a moderate strength password not be enough ? I am sure even MS rate-limits login attempts. And if someone got root to Hotmail servers you are screwed anyway.
15. Re:Yes, but other than that, how did you like it? by Dan541 · 2012-04-25 12:31 · Score: 3, Interesting
  
  From TFA
  
  I set about trying to change my passwords. Hotmail was easy enough, but as that email address was also used as my iTunes login, I wanted to change that password as well. Except Apple’s changed its password policy since I last changed mine, forcing me to include a capital letter, a number, a set number of characters and a symbol from the Ancient Greek alphabet (I exaggerate only slightly). As my Gmail account was linked to that now compromised Hotmail inbox, I had to change that password too. So I now had three new passwords – all using slightly different systems – swimming round my slightly inebriated brain, and I can’t even remember the name of my news editor when I’m sober. If I’m still able to access my iPhone and Gmail account today, it will be nothing short of miraculous.
  I'm curious to know how strong this password, used in multiple places really was.
  
  --
  An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
16. Re:Yes, but other than that, how did you like it? by Smallpond · 2012-04-25 12:59 · Score: 5, Funny
  
  I'm curious to know how strong this password, used in multiple places really was.
  Very strong. Instead of the usual 12345 he used 54321.
17. Re:Yes, but other than that, how did you like it? by PuZZleDucK · 2012-04-25 13:05 · Score: 5, Insightful
  I'll third that. I was appalled with the editors attitude to paswords.
  
  1. He uses all lower case letters [FAIL - you know the rules you work at PCP]
  2. He was shocked one of his services had woken up and hardened its password policy [FAIL - you should be encouraging this kind of behaviour, not dissing it - I'm pissed when I'm _not_ allowed to use special characters]
  3. He obviously has no password managment plans [FAIL - If I had to replace every single one of my passwords today it would be a hasstle but there would be no chance of me not being able to recover accounts the next day]
  I feel less inteligent after having read this article... help me!
  --
  Can a person program a new solution to a problem? Why should anyone be able to stop such a thing? -Richard Stallman
18. Re:Yes, but other than that, how did you like it? by Xeno+man · 2012-04-25 13:47 · Score: 5, Insightful
  
  Don't, they have done it to them selves. If Microsoft stopped forcing it's own software down your throat and gave users choice they would have better products. Windows 8? You need to use your windows live account, check your email through Live messenger, you want to use Internet explorer, don't you. Also your default search is Bing, whoops you changed that to Google, lets change that back to Bing because you fucking love Bing, don't you? Don't you!?!
  
  Sometime when products work together they work better but sometimes you need separation between your accounts. If I have an Xbox live account I may want my credit card on there to buy things but if I also have a hotmail account, I may have zero reason for hotmail to have my credit card number. Maybe I want them linked together and to share data and maybe I want them worlds apart and not even know the other exists. Just give me a fucking choice.
19. Re:Yes, but other than that, how did you like it? by Anonymous Coward · 2012-04-25 14:01 · Score: 3, Insightful
  
  The monopoly part was for pushing their browser, not the operating system. Besides, it happened over a decade ago and you are still going on about that bullshit? Give it a rest. No one cares or even remembers (clearly you don't).
20. Re:Yes, but other than that, how did you like it? by FrootLoops · 2012-04-25 14:07 · Score: 2
  
  While I tend to agree, I've always figured people get around rate limits by having a huge pool of addresses they try brute forcing. Rotate the addresses quickly enough to prevent being rate-limited (possibly using a botnet to spread the IPs around?). The odds of guessing correctly are essentially the same with either strategy (this actually has lower variance, though the expected number of compromised accounts should be the same).
  Someone mentioned a good possibility in this vein: he reused his password on a site that got compromised which was then connected to his Hotmail account. He has a strong history of password reuse from the article.
21. Re:Yes, but other than that, how did you like it? by DavidD_CA · 2012-04-25 14:08 · Score: 4, Informative
  
  You need to use your windows live account, check your email through Live messenger, you want to use Internet explorer, don't you.
  Hello. I am using Windows 8.
  I did not need to provide my Windows Live login for anything. While it is suggested, it certainly wasn't required.
  I am using the built-in email, calendar, and messenger apps. All of them allow connectivity to multiple services including Exchange, Facebook, and more. (Yes, I can even see my Facebook contacts and events integrated into the various apps.)
  And while Windows 8 certainly ships with IE 10, you're not forced to use it. I could have easily installed Firefox and tabbed it to the Metro screen if I wanted.
  
  --
  -David
22. Re:Yes, but other than that, how did you like it? by Microlith · 2012-04-25 14:11 · Score: 5, Insightful
  
  People do care and do remember, because their OS monopoly is what allowed them to gain a browser monopoly and set the web back several years. They did leverage their position to ensure that non-Microsoft OSes were not distributed on OEM PCs, particularly BeOS which they threatened HP over.
  Please don't shill for Microsoft.
23. Re:Yes, but other than that, how did you like it? by amiga3D · 2012-04-25 14:20 · Score: 2
  
  Sometimes it's amazing how much like the government they are. Things almost never make sense and when they actually do everyone is shocked and amazed.
24. Re:Yes, but other than that, how did you like it? by Jah-Wren+Ryel · 2012-04-25 14:22 · Score: 5, Insightful
  
  I feel less inteligent after having read this article... help me!
  And yet everything you listed is typical of regular users and hotmail's target audience is regular users. The author may be a dolt because he failed to apply the expertise that is a requirement of his job, but when you have to be an expert to properly use a consumer-grade service, the real problem lies squarely with the service, not the user.
  
  --
  When information is power, privacy is freedom.
25. Re:Yes, but other than that, how did you like it? by phantomfive · 2012-04-25 14:24 · Score: 2
  
  I'm stuck on Windows because that's what we use at work. In places where I have a choice, I don't use it.
  
  --
  "First they came for the slanderers and i said nothing."
26. Re:Yes, but other than that, how did you like it? by Cylix · 2012-04-25 14:33 · Score: 2
  
  I find the correct horse battery staple password for ages. Thanks xkcd!
  
  --
  "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
27. Re:Yes, but other than that, how did you like it? by mcneely.mike · 2012-04-25 14:46 · Score: 2
  
  2. He was shocked one of his services had woken up and hardened its password policy [FAIL - you should be encouraging this kind of behaviour, not dissing it - I'm pissed when I'm _not_ allowed to use special characters]
  Amen to that.... not being able to input the characters i want is epic fail.
  
  --
  soylentnews.org Go there to enjoy the people!
28. Re:Yes, but other than that, how did you like it? by MurukeshM · 2012-04-25 15:00 · Score: 2
  
  I think they need an a Live account or something, and your hotmail account is automatically one, but I have seen people using GMail ids for making this live account and logging in to Win8.
29. Re:Yes, but other than that, how did you like it? by shutdown+-p+now · 2012-04-25 15:35 · Score: 5, Informative
  
  From TFA:
  
  (Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.
  So, seven lowercase letters. And this guy thinks it's "not that weak".
30. Re:Yes, but other than that, how did you like it? by shutdown+-p+now · 2012-04-25 15:37 · Score: 4, Informative
  
  Are you also avoiding Android? Because that requires you to be signed into your Google account to do a lot of useful things (like sync stuff).
  On the other hand, just like with Android, you don't have to use your LiveID in Win8.
  As for why the guy got pwned... I'll just quote TFA.
  
  (Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)
31. Re:Yes, but other than that, how did you like it? by tobiasly · 2012-04-25 15:40 · Score: 4, Interesting
  
  This is also very informative, at least for me, as it gives me one more reason to avoid Win 8 as i had no idea everything in their new appstore was tied to hotmail.
  Haha no kidding. I wonder if they still delete your Hotmail account if you don't log in for 30 days or whatever. Because that would be awesome to find out all my purchased apps were inaccessible because they deleted my "inactive" account...
32. Re:Yes, but other than that, how did you like it? by jcfandino · 2012-04-25 16:12 · Score: 2
  
  It's strange that an xkcd can be so misleading, but this time it is.
  
  The "securer" password has a smaller character space, which means that it's 26 possible characters to the power of the length. The other, has a wider character space; 26 lower case letters, 26 upper case, 10 numbers and 32 symbols (at least directly accessible on a US keyboard layout). In this case the second password needs more combinations to be cracked just because it's longer, but if the same password would have had the character space of the first one, it would need ~9e13 times more combinations to test.
  
  Crackers will always incrementally wide the character space, first all lower case, then start trying more possibilities. And they also use rainbow tables, and it's even easier if it puts dictionary words.
  I personally find much more difficult to remember random words sequences.
33. Re:Yes, but other than that, how did you like it? by DigiShaman · 2012-04-25 17:51 · Score: 2
  
  Ya, that's pretty weak. But that said, shouldn't all secure sites use an anti-hammering scheme with a specified cool down period. You could apply this behavior on a per source IP only so as to not DOS an account. In theory, a distributed botnet could attempt a brute force crack from multiple sources against one account, but how often would that happen unless you were specifically targeted in the first place?
  
  --
  Life is not for the lazy.
34. Re:Yes, but other than that, how did you like it? by Anonymous Coward · 2012-04-25 18:16 · Score: 4, Informative
  
  It is assuming that the first password is generated by the once-recommended technique of starting with a word (to make it easy to remember) and inserting misspellings and doing character substitutions. E.g. "hackers" -> "h4kk3rz!!52".
  It is pointing out that this adds less entropy than just inserting some more random words, while being significantly harder to remember for most people. The words are easier to visualize and associate with other cues.
  You would only be correct if the password was generated completely at random, which is often not the case.
35. Re:Yes, but other than that, how did you like it? by shutdown+-p+now · 2012-04-25 19:02 · Score: 3, Informative
  
  As long as you don't want to do things like, oh I don't know, use the email app to get email
  If your email is a Hotmail account, then you will, of course, need to use that account (which doubles as a LiveID) for that specific app - kinda hard to avoid that part. If you use something else, you don't need a LiveID.
  
  update the stock apps
  I'm not sure whether this refers to "update stocks" or "update app". If the former, then you don't need a LiveID for that. If the latter, then you only need to be logged in for as long as it takes to install/update the app (much like iOS).
  
  or have a Calendar, or have an address book -
  Nope, not needed.
36. Re:Yes, but other than that, how did you like it? by the_B0fh · 2012-04-25 19:18 · Score: 5, Insightful
  
  Does it matter if it is "weak" or not? Unless the hackers compromised hotmail's password file and is busily trying to crack it, it is irrelevant.
  What is relevant is that hotmail is apparently open to being bruteforced. Now, *THAT* is a fail.
37. Re:Yes, but other than that, how did you like it? by JonJ · 2012-04-25 19:46 · Score: 2
  
  and no Linux was not a viable alternative for media production...
  Of course it wasn't, that's why dreamworks use it on their desktops.
  
  --
  -- Linux user #369862
38. Re:Yes, but other than that, how did you like it? by Sigg3.net · 2012-04-25 20:28 · Score: 2
  
  In Norway you're an IT expert if you have glasses, want to get your name in the newspapers and can provide a Top 5 list of freeware tools from Cnet.
  You are up to date if you can distinguish the various windows 7 editions.
  Don't look at me. When people ask, I'm a student.
  
  --
  Defining Statistics and Social Research
39. Re:Yes, but other than that, how did you like it? by ArsenneLupin · 2012-04-25 21:35 · Score: 2
  
  I'm curious to know how strong this password, used in multiple places really was.
  ... and how multiple the places really were, and how trustworthy all of them actually were...
  And a "place" doesn't actually need to be actively malicious, just sloppy/misguided. Such as making you log in over unsecured http, enabling a malicious third party to easily snoop. Some large chat/meetup site that I use only enables premium members to log in via https. Other must use plain http.
40. Re:Yes, but other than that, how did you like it? by defile39 · 2012-04-25 23:26 · Score: 2
  
  Not just about the browser and gaining browser share. First off, Microsoft's attack on browser manufacturers helped reinforce its operating system monopoly. The browser is a form of middleware that Microsoft feared would enable firms to create cross-platform applications written to browsers instead of operating systems. Just think, but for Microsoft's exclusionary conduct, what's happening now might have happened 10 years ago. But browsers aside, Microsoft also attacked Java. It developed its own proprietary version of java and told application developers to write to that Java because it would be compatible with Sun's Java. But it wasn't. It was MS-proprietary and programs written to it likely wouldn't run properly on other operating systems. Microsoft's conduct wasn't about getting a foothold in browsers. It was about eliminating threats to its applications barrier to entry and to its OS dominance.
41. Re:Yes, but other than that, how did you like it? by kikito · 2012-04-26 02:29 · Score: 2
  
  12345?
  Wow, that's even stronger than asdfg. Because you have to move your fingers up! Genius!
42. Re:Yes, but other than that, how did you like it? by hesaigo999ca · 2012-04-26 03:25 · Score: 2
  
  Yet funny enough, I have integrated my phone to send me a code when i log in to my hotmail account else it does not let you...why would he not have used this if he really wanted to test all the new features, facebook has it, gmail has it...thats like only testing the gas pedal on a car without touching the brake pedal and then saying it was not the same driving expereince...
43. Re:Yes, but other than that, how did you like it? by Jah-Wren+Ryel · 2012-04-26 03:49 · Score: 3, Insightful
  
  How is it the services fault if the user uses the same password on all services?
  Using the same password everywhere is what normal people do. Not because they are stupid, but because password authentication systems simply do not scale. Normal people can handle 2 or 3 different passwords at most. Expecting normal people to keep track of 5+ unique passwords is a losing proposition.
  
  --
  When information is power, privacy is freedom.
44. Re:Yes, but other than that, how did you like it? by rbgaynor · 2012-04-26 03:58 · Score: 3, Informative
  
  Sorry but a lot of the default apps that come with Windows 8 - mail, calendar, address book, app store- won't even let you past the start screen if you don't log in with a Windows ID. Even if you want to use the default Mail app for a non-Hotmail account you need to log in with a Windows ID. Not only that, but Windows 8 pushes you to use your Windows ID as your login for your user account.
  
  --
  "Good things don't end with eum, they end with mania or teria." - H. Simpson
Backfires? by busyqth · 2012-04-25 09:56 · Score: 5, Funny

Hotmail sent a message containing a malicious link to all of his contacts
It seems to me that it was convincingly demonstrated that Hotmail has a few features that Gmail lacks.
Good job Microsoft!
Epic Fail by girlintraining · 2012-04-25 09:56 · Score: 4, Insightful

Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features
So the Marketing department got the green light over the Security department during the development of Windows 8. Naturally, it is the Security department's responsibility to ensure that when the Marketing department does something stupid like linking account credentials between two separate administrative domains, it's Security's responsibility to sprinkle magic fairy dust over it.
Okay, I'd like my $80,000 bonus now, and a letter of resignation from the chief designer of the Windows Live security team please. Also, let the marketing department know that we'll need to find someone to spin the bad press away, you know, the usual crap about it being a beta release and then suing him for violating the NDA that says he can only report positive experiences with the beta.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:Epic Fail by Anonymous Coward · 2012-04-25 10:18 · Score: 4, Informative
  
  Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features
  Google does exactly the same thing (even with google Checkout; at least the xbox account can only be used to buy games for that same account).
  Apple does the same thing, as far as I am aware.
  I'm not saying it's right, but it seems to be par for the course
RTFA by Anonymous Coward · 2012-04-25 09:58 · Score: 2, Informative

From the article (but curiously missing from the summary):

(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)
In other words he used a shitty password and got hit by a dictionary attack. Nothing new or interesting here. Move along.
1. Re:RTFA by Soporific · 2012-04-25 10:01 · Score: 2
  
  His password was the same as the one to his luggage...
  ~S
2. Re:RTFA by Anonymous Coward · 2012-04-25 10:05 · Score: 3, Informative
  
  7-letter lowercase password that's not a dictionary word... that's about 33 bits worth. And that's not offline bruteforceable. What kind of retarded system doesn't do *something* after a few BILLION failed login attempts?
3. Re:RTFA by ais523 · 2012-04-25 10:05 · Score: 5, Insightful
  
  No way that a web-based service should allow that sort of dictionary attack to succeed. It's not too hard to deliberately spend a sufficiently long time authenticating someone (especially if there have been a bunch of password failures recently on the account / from that IP) that dictionary attacks become unfeasible; it's not like you get to attack the hash. (Look at Wikpedia, for instance, where three login failures cause you to need to fill in a CAPTCHA to log in.)
  
  --
  (1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
4. Re:RTFA by Anonymous Coward · 2012-04-25 10:11 · Score: 2, Informative
  
  I'm not so sure, other AC
  Any internet exposed service of non-tribal size will tarpit/lockout an account LONG before a string of characters that long is brute forced/dictionaried.
  For a long time I've seen a LOT of hotmail accounts compromised. Actually, pretty much everyone I've known that has ever used a hotmail account has had it hacked. I would not be surprised if there's another vector here.
5. Re:RTFA by Penguinisto · 2012-04-25 10:14 · Score: 2
  
  That "dictionary attack" should've triggered something on Hotmail's servers after, oh, the 48 millionth failed login attempt in less than five minutes...
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
6. Re:RTFA by TheRealMindChild · 2012-04-25 10:21 · Score: 2
  
  Funny, I wrote a brute force login app for Hotmail back in like 2002, to see if such a thing was feasible (brute forcing that is). After about 5 failed login attempts, each one after that took over a minute. When did they undo this?
  
  --
  
  "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
7. Re:RTFA by IamTheRealMike · 2012-04-25 10:33 · Score: 5, Informative
  
  Yes, no serious web mail service can be compromised by brute force attacks and that is not what happened here.
  Almost certainly, the password in question has been re-used at some other third party website that then got hacked, its password database dumped and the hashes reversed using video cards.
  I work on account security at Google and have spent the last 2.5 years of my life on Gmail anti-hacking. So I'm all too familiar with this type of problem, where spammers mail your contacts with a link to their online stores (or malware). Really feel for the Hotmail team here - it's a hard problem to solve. That said, we've made a lot of progress over time. We've blocked very large numbers of logins to compromised accounts (often between half a million to a million accounts per week). There are still occasional campaigns that get past us but it's getting rarer all the time. It may well be that this guys password was the same on Gmail (ie, he had one password for everything), and there was an attempt made against his account, but we redirected it to the identity verification quiz and thus it was blocked. It wouldn't be remarkable if so.
  I did a public talk at RIPE64 on the topic of signup and login security at Google, for those who are interested. It's about 30 minutes long.
8. Re:RTFA by LoverOfJoy · 2012-04-25 10:42 · Score: 2
  
  Well, to be fair, for his gmail password he had to add a 1 at the end for them to accept it. I guess that's why his gmail account was never hacked.
9. Re:RTFA by moronikos · 2012-04-25 10:51 · Score: 2
  
  I just tried logging in with bad passwords, and after the 10th try, it switched to captcha. This wasn't a brute force attack on the front end.
10. Re:RTFA by complete+loony · 2012-04-25 11:19 · Score: 2
  
  BTW I don't own a mobile phone, can you add an option to quit bugging me about 2-factor authentication?
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
11. Re:RTFA by __aawavt7683 · 2012-04-25 12:25 · Score: 5, Informative
  
  This happened to me. Around October last year, I logged in, checked e-mail, and left the tab to do something else. About 20 minutes later, I went back to the tab, clicked Inbox, and... nothing happened. Clicked a few more things, nothing expected was happening. Hit refresh, was redirected to the login page. This is _not_ typical.
  When I logged in again, I had 30 bounceback e-mails. I checked sent items, I had 50 new sent e-mails, about 5 addresses each, to my entire contact list with a slew of bad URLs. A couple people contacted me about it. I checked the sent e-mail headers, and the sending IP had an address from Russia, China or some such.
  Compromised password? Not likely -- the password on my e-mail is completely unique, had never been used anywhere else, greater than 10 characters, computer-generated. I never type it on public machines, and hadn't used Hotmail on anything but my work machine, home machine (Gentoo) and Ubuntu box in... a long, long time. They would've needed a keylogger to get it. I scanned my work machine for viruses. Nothing. Perhaps there's an Ubuntu bug that somehow got exploited on me, but that box has never connected directly to the internet.
  I did some research, and the best that I could come up with is a 2011 attack where if an attacker sent you a bad URL, and you opened the e-mail, they could get your session cookie, log in and act like you. That is the _only_ thing that I found. But it was supposed to be fixed earlier in the year, and I don't recall opening any odd e-mails -- clearing the junk folder, seeing the subject, but not opening them. A few from expected sources, sure, but nothing that struck me as odd.
  So I changed my password and immediately stopped using the Hotmail web interface. The problem has not recurred, so suggests it's not an Ubuntu bug. This suggests, then, that there is still a session-hijacking bug in Hotmail somewhere that persists to today.
  Don't always assume it's user error if you can't figure out the flaw.
12. Re:RTFA by rgbrenner · 2012-04-25 13:32 · Score: 4, Informative
  
  sounds like a CSRF vulnerability: http://en.wikipedia.org/wiki/Cross-site_request_forgery
  sites should use a session cookie + a unique value submitted with each post form
  if a site leaves out the 2nd part, and you visit a malicious site while logged in.. then that malicious page can submit a hidden post form to the site and the site will process it as if you submitted it.
  gmail was vulnerable to this a could of years ago
Was it really hotmail hacked... by Anonymous Coward · 2012-04-25 09:58 · Score: 2, Insightful

Or did he just use a crappy password or have malware already on his computer? I know it's popular to bash MS, and I dislike the account convergence we are rapidly screaming towards, but blaming the service when it was more likely that he created the vulnerability is just tacky.
1. Re:Was it really hotmail hacked... by Penguinisto · 2012-04-25 10:16 · Score: 3, Insightful
  
  The malware angle I could see, sitting, err, on his Windows machine.
  No matter which way you slice it, Microsoft's not going to look too awful good from this.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
weak password by cratermoon · 2012-04-25 09:59 · Score: 4, Informative

From the story: 'For those of you inquiring about the strength of my Hotmail password - it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun.'
1. Re:weak password by TJ_Phazerhacki · 2012-04-25 10:01 · Score: 3, Interesting
  
  Sure. But was it actually Hotmail that was hacked, or the way more likely cause of a non-unique password or existing compromise on his pc? Hell, I know script kiddies who would SALIVATE at the chance to make Hotmail look bad for teh lulz...
  
  --
  Physics is nothing like religion. If it was, we'd have an easier time trying to raise money!
2. Re:weak password by cratermoon · 2012-04-25 10:05 · Score: 4, Insightful
  
  Could be any of those things, or all of those things. In a fully Microsoft monoculture of shared architecture and sloppy security practices, it only takes one weak link to break the whole chain.
SSL still isn't the hotmail default! by Anonymous Coward · 2012-04-25 10:05 · Score: 3, Informative

It's only recently (Nov. 2010) that hotmail even had the option of using SSL:
http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/09/hotmail-security-improves-with-full-session-https-encryption.aspx
And SSL still isn't the default option for hotmail.
Gmail at least had the option for SSL for many many years, and google made SSL the default a few years back (after they got hacked by the Chinese).
that will be a death note to enterprise use by Joe_Dragon · 2012-04-25 10:05 · Score: 2, Interesting

Hotmail login same as windows log on and windows store with CC? WOW windows 8 may flop so bad that they have to have a windows 9 next year or a windows 7.5
1. Re:that will be a death note to enterprise use by Anpheus · 2012-04-25 10:13 · Score: 5, Informative
  
  If you took the cursory amount of time to research this, you'd find that (a.) no, Microsoft doesn't expect business users to rely on authenticating against Windows Live, and (b.) that Windows Live log in is optional and not necessary, and a local account works just fine. You just don't get access to some easy synchronization items, but you can still access the windows store and apps by manually logging in.
  But hey, this is slashdot. Who needs to verify before they make grandiose claims?
2. Re:that will be a death note to enterprise use by Zero__Kelvin · 2012-04-25 10:21 · Score: 5, Insightful
  
  ... well then ... it's a damn good thing that almost all Windows users are business users then! You know ... because regular folks would probably sacrifice security for usability if they even knew that was what they were doing. Thank God there aren't many of those types with 'puters connecting their tubes to the Internet!
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re:that will be a death note to enterprise use by Anpheus · 2012-04-25 10:42 · Score: 4, Interesting
  
  That's irrelevant though, and you're just picking a fight. I was responding to Joe_Dragon's completely inane objection to Windows 8 from a business standpoint, see his title: "that will be a death note to enterprise use". No, it won't be, and I explained why.
  Do you want to engage on a debate on Windows Live logins as well? Because you should know before you start that the Windows Live login has minimum security requirements, doesn't appear to store the Windows Live password locally, and appears to follow some pretty damn good security practices. Now, I haven't fully verified all of these claims, but the login process for Windows Live login appears to use local passwords and certificates to verify the local account password against The Cloud(tm) when available. This is actually an astoundingly good process, as I don't think the hash of the Windows Live password is ever stored on the computer, rather, it can be used to access the local password, but I don't think physical access to a Windows 8 machine can possibly give you access to a user's Windows Live credentials. You can only gain access to local, unencrypted data.
  There are bits of this I haven't verified, but are based off hunches of exploring the system and poking and prodding it. I haven't disassembled the login routines to verify what I think is happening is the actual process, but it appears that Microsoft has very much followed good security practices here. I was extremely impressed to notice that enabling Windows Live login merely downloads a certificate to the user's local certificate store (encrypted by a local password) and that other mechanisms appear to be in place to mitigate security risks.
4. Re:that will be a death note to enterprise use by Cute+Fuzzy+Bunny · 2012-04-25 10:58 · Score: 2
  
  You forgot to mention the part where it was probably a piece of malware that sent the emails using his contact list from hotmail and pretty much had nothing to do with hotmail. I've seen malware that does hotmail AND gmail or outlook or thunderbird or whatever have you.
  It sounds like they made a large mistake. They asked a high touch user to evaluate something and when he had problems he blamed hotmail. I dont think anything that happened to him had much of anything to do with hotmail or windows 8.
  But its kinda fun to figure out what really happened. /would get rid of his hotmail account if he didnt have 9000 places I use it for a login // was really surprised that yahoo inactive-deleted my account. I'd think they need all the dead subscribers they can handle.
5. Re:that will be a death note to enterprise use by dave420 · 2012-04-25 10:59 · Score: 2
  
  You are sorely mistaken about domains and group policies. But why let facts get in the way of a good ol' moan at Microsoft.
6. Re:that will be a death note to enterprise use by lgw · 2012-04-25 12:36 · Score: 2
  
  I suspect he's thinking of the ARM-based devices, which can't join a domain. Windows 8 on Intel/AMD won't habe the limits the GPP is complaining about, but the ARM-based stuff will be useless to the corporate world.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
samzenpus, you idiot! by X0563511 · 2012-04-25 10:08 · Score: 2

Why is this in idle? After that blatant dupe earlier...
You are grounded!

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Think of the alternatives by Groo+Wanderer · 2012-04-25 10:10 · Score: 2, Funny

MS is continually bashed for security reasons, and mocked for being a virus spreading engine etc etc. Those who continually make such silly and baseless allegations, as evidenced by the story above, don't even once think about the alternatives and THEIR security problems.
After dumping Windows and MS products in general a few years ago, I have had a first hand hard lesson in the probelms of 'alternative' OSes, if you can call them that. My problems have been nearly unending since switching to Linux, I mean just last month, or was it the month before, my laptop crashed. This wasn't the first time either, it routinely happens 2-3 times a year.
Think about it people, if you don't use MS, you might not have horrific security problems that compromise all conected devices and identities, but you may have to suffer through a similar fate to me. Be careful what you ask for, and THINK before you whine in public.
-Charlie
On the positive side (for consumers)... by SpryGuy · 2012-04-25 10:13 · Score: 2

...perhaps this will light a fire under Microsoft to get their system a bit more secure (in spite of weak passwords like the one the guy used), and not allow things like spamming all contacts without some second-source notification/response, or some other easy to implement blocks to this sort of behavior.
And the result for consumers will be a more robust system in general (Microsoft Account/WindowsLiveID, as well as HotMail, Win8, XBoxLive, etc).
Failures often spur innovation and improvement. They're not always a bad thing (though this one is particularly embarassing, it may be just that level of embarassment that drives the motiviation to work on solutions to the problem).

--

- Spryguy
There are three kinds of people in this world: those that can count and those that can't
It wasn't THAT bad a password actually by silentcoder · 2012-04-25 10:14 · Score: 4, Informative

http://xkcd.com/936/
Truth be told the passwords we actively encourage are no stronger than what he used.
If you want a really strong password, use a sentence of random words. Password length matters far more than password content - this is a simply provable fact - too bad hardly anybody in security realizes it.

--
Unicode killed the ASCII-art *
1. Re:It wasn't THAT bad a password actually by blueg3 · 2012-04-25 11:36 · Score: 3, Insightful
  
  Well, GPU cracking is something like 500 million hashes / sec = 2^29 hashes/sec. Four words out of a 2k-word dictionary (which is small), selected randomly, is a space of 2^44 passwords. That's about 9 GPU-hours, which is not good. Adding a fifth word increases this to roughly 2 GPU-years (a factor of 2^11). Adding numbers in between the four words increases the password space by about 2^5, which is something (~300 GPU-hours) but is not really substantial. (A sixth work makes it 4000ish GPU-years, which is starting to get really cost prohibitive.)
  More effective, really, is for people storing passwords to increase the cost of computing hashes. If you use something like HMAC, both cracking time and password verification time scale linearly in the number of rounds. Client-side, this is easy. Well-designed modern encryption software, for example, uses enough rounds in password-based key derivation that it takes on the order of a second to compute. That's roughly a million rounds, so password cracking against a 4-word password at 500 Mhashes/sec increases from 9 GPU-hours to 1000 GPU-years. Server-side, password verification is more expensive, but even using thousands of rounds of SHA1 over one round of MD5 is a huge security increase.
  Unfortunately, the end user has little control (or even knowledge) of how passwords are stored server-side.
2. Re:It wasn't THAT bad a password actually by swillden · 2012-04-25 11:44 · Score: 3, Insightful
  
  http://xkcd.com/936/
  Truth be told the passwords we actively encourage are no stronger than what he used. If you want a really strong password, use a sentence of random words. Password length matters far more than password content - this is a simply provable fact - too bad hardly anybody in security realizes it.
  That XKCD strip is consistently misunderstood. Random words aren't more secure than a sequence of random letters, numbers and symbols. For example, a random sequence of seven letters (mixed case), symbols (assume 10 of them) and numbers has the same amount of entropy as the four dictionary words Munroe mentions. Eight characters is signficantly stronger and four words. "Length matters more than content" is an oversimplification to the point of meaninglessness. Arguably, Munroe's example is shorter, since it's a sequence of four randomly-chosen symbols, rather than seven or eight. It's just that the symbols are chosen from a larger set (2048 vs 72).
  The point of the strip is that, for most people, the sequence of words provides a strong password that is easier to remember. If remembering your password is your problem, then a sequence of random words is a good solution (but don't fall for the temptation to pick a favorite sentence). However, Munroe's example is almost four times as many letters to type -- call it three times as many keystrokes after accounting for the need to hit the shift key a few times in a random character sequence. Even worse, the fact is that many (lame) authentication systems won't accept very long passwords. In many ways multi-word passwords are impractical.
  Personally I optimize for ease of typing, not ease of memorization. I use my most important passwords sufficiently frequently that remembering them is no problem, but being able to type them quickly and accurately can be. I use a random password generator to generate a random 10-character sequence, then I permute it for ease of typing. Permuting in a fairly predictable way (grouping shifted characters and arranging to alternate touch-typing hands between pairs of characters) reduces the entropy a little, which is why I generate 10 characters rather than eight or nine.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
3. Re:It wasn't THAT bad a password actually by c++0xFF · 2012-04-25 15:02 · Score: 2
  
  My company has some crazy password policies, to the point that remembering all my passwords is quite a challenge. So, I tried the XKCD method, and this is what I found:
  1. Typing four words is a lot of typing, but it's amazingly fast due to muscle memory! Just make sure your dictionary has relatively short words in it.
  2. Changing passwords often isn't a problem, even when you have multiple accounts to deal with.
  3. I think five short words with a smaller dictionary) is better than four words with a larger dictionary.
  4. Different systems have different password requirements and capabilities. Some things have workarounds (like adding number or symbol somewhere), but others can't handle long passwords. Until certain software catches up, the XKCD method can't be used everywhere. What a shame.
4. Re:It wasn't THAT bad a password actually by dylan_- · 2012-04-26 03:34 · Score: 2
  
  Four words out of a 2k-word dictionary (which is small),
  That isn't small...it's *tiny*. For fun, I downloaded a word list from ox.ac.uk. It's 26,800 words. And that's just English words, and probably not very many. You could certainly find a dictionary of over 50,000 words without much trouble.
  I tried to cut it down to around 2000 words, and succeeded by cutting out all words beginning with capitals, any that contained an apostrophe and all those that were *over four letters long*. That gave me a dictionary of about 2,400 words. All four letters or less and all lowercase.
  
  --
  Igor Presnyakov stole my hat
5. Re:It wasn't THAT bad a password actually by dylan_- · 2012-04-26 04:23 · Score: 2
  
  You could certainly find a dictionary of over 50,000 words without much trouble.
  In fact, I just realised that right next to it was the Unabridged dictionary which is 213,557 words. Mind you, you get passphrases like: "unrealmed hagiocracy viverridae heterodoxal" (actually really got that with "shuf -n 4 Unabr.dict") but I guess it would be good for your vocabulary. ;-)
  
  --
  Igor Presnyakov stole my hat
Not uncommon by krelian · 2012-04-25 10:16 · Score: 4, Interesting

This is not the first time I hear about a hotmail account being hacked to send malicious links. I had a few friends with the same problem, always hotmail. It's possible there is a serious security problem with the service. And even if there isn't, logic should be in place to suspend account who start mass emailing their contact lists with suspicious links, it shouldn't be that hard to stop.
1. Re:Not uncommon by FrootLoops · 2012-04-25 10:53 · Score: 3, Insightful
  
  And even if there isn't, logic should be in place to suspend account who start mass emailing their contact lists with suspicious links, it shouldn't be that hard to stop.
  The same thing was mentioned above, but all a hacker needs is the contact list. They can spoof your email address and bypass Microsoft entirely afterwards. Of course the same is true of all email providers.
It's His Own Damn Fault by smack.addict · 2012-04-25 10:20 · Score: 5, Insightful

His password is 7 lower case characters. It's a wonder his GMail account wasn't hacked ages ago.
Microsoft's online encryption has always been bad by Celexi · 2012-04-25 10:21 · Score: 2

Hotmail's default isn't SSL as far i know, and their chat service isn't ssl or encrypted or even able to run encrypted ( unlike google's chat/XMPP). So it isn't exactly safe, not long ago someone was trying an dictionary attack of some sort for days on my MSN messenger account as it prevented me from logging in due to "too many password attempts" . ( when i had not been the one doing those attempts.)
Re:Idiot? by rkfig · 2012-04-25 10:23 · Score: 2

Assuming the attacker knew somehow that the password was exactly 7 letters, and that they were all lower case letters, which shouldn't be the case, it still shouldn't have been possible. 7 letters, 26 possible letters in each location means just over 8 billion possible combinations. If we assume upper and lower case letters plus numbers are tried in the brute force attack, that gives a bit over 5 trillion possibilities. Exactly how many failed attempts are allowed on their web logon before any sort of protection system kicks in. So, yes, I do think it is a design and implementation flaw by Microsoft.
Re:Probably wide spread by Billhead · 2012-04-25 10:39 · Score: 2

In that case you should also know that pidgin stores the passwords in plaintext in the settings file(at least last time I checked).
I've been using gmail for years by Jafafa+Hots · 2012-04-25 10:43 · Score: 2

and their new layout sucks. Totally. No colors in labels, screen spacing all wasted, hard to look at.
Meanwhile hotmail HAS improved.
I still prefer gmail, but the difference has narrowed mostly because of gmail's steps backwards into "Apple iTunes ripoff "I'm stupid like your grandma" design concepts. They fucked up something great and made it merely OK.
Hotmail's still sucks in many ways, but their inbox os SO much easier to clean out now, that single improvement makes hotmail easier in many ways to use than gmail.
If gmail were to ditch the shitty "everything has to be big and rounded and words have to disappear and be replaced by vague non-descriptive icons" blech, AND institute cleaning like hotmail,. they'd be miles ahead.
Now... if either took the invention of usenet provider Easynews, and allowed a "ranges" feature, they would be golden. If you use easynews, you know what I mean.
If not, it works like this - take a page of 300 items each with individual selection boxes. Click one near then top, one lower, another lower still, and then one more. Click "select ranges"
You get the whole range between your 1st and 2nd selection selected, items afterward are unselected until your NEXT selection, and those between that and the end selection are selected.
Hard to explain, but it's fucking BRILLIANT. No other site I've seen uses that, and it's fucking GREAT.

--
This space available.
Hotmail issue? Or something else... by atticus9 · 2012-04-25 11:21 · Score: 2

I can think lots of ways that his account could have been compromised that wouldn't be Hotmail's fault. I wish there was more details on how he got hacked exactly.
But how did it get hacked? by SuperDre · 2012-04-25 18:36 · Score: 3, Interesting

The main issue now is, how did it get hacked, as millions of users are using hotmail/live-platform daily without problems.. Maybe the reporter was a bit dumb and put his login-account details on a hazy-website for some reason (like an external importing app, or a maulicious App for his phone/tablet/whatever)..
It's not like an account can be hacked that easily (just as easy as a GMail account could be hacked)..

So the hacking of his account doesn't have anything to do with the service itself..
Re:As I posted yesterday by cpu6502 · 2012-04-26 05:35 · Score: 2

>>>XP was less stable than 2000.
Really? Wasn't XP simply the +0.1 version of Win2000? I would have thought XP would be more stable, like how WinSeven (6.1) is more stable/bugfree than Vista (6.0).

--
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"