Slashdot Mirror
Update: MS Says Hotmail "Security Issue" Resolved
Bartleby writes "Here is MS's letter about the 'service issues that have generated questions about security.' A textbook example of PR-driven understatement. When my colleague and I logged in to his Hotmail account with no password using simple HTML, we thought it rated a little higher than a 'service issue.'" Previous Slashdot story about this Hotmail 'service issue' here.
Even CNN was buying this.
I fully expected MSNBC to spout this company line but I was a little surprised that CNN just regurgitated this woithout doing a little digging themselves. (tsk, tsk)
I think what I heard was "some web sites posted codes which allowed visitors to gain access to user's e-mail accounts without their permission. Once the code was made available, it began appearing on many web sites until Microsoft took action to stop the unauthorized access".
Bleah. Should have been along the lines of "a security hole was discovered which allowed others to access hotmail accounts without requiring a password of any kind. This information was quickly shared on the internet and several web pages were posted with the necessary information to allow visitors to easily access hotmail accounts. Microsoft took hotmail servers down until the security hole was corrected."
Crap.
I'm sure you guys can do better than me, but here's a couple to get the contest started...
One coworker to another:
"The boss called last night and said the plumbing backed up in the office, so we're all supposed to take Monday off."
Or:
"Tomorrow is 'Frontier Days', so don't forget to dress accordingly."
One student to another:
"Are you ready for the big exam tomorrow?"
Or:
"Tomorrow's exam has been postponed for two weeks."
Dear John:
I've found a new man. Beat it.
Or:
Sally told me where she saw you last night. You've got some explaining to do.
Dear Jane:
What's this I keep hearing about you and your high school football team?
Or:
Sorry, but I've decided I prefer guys.
Bill Clinton to George Bush:
Just tell 'em you didn't inhale it.
Bill Gates to judge Jackson:
What's your favorite charity?
Sheesh, evil *and* a jerk. -- Jade
I'm going to make a web page chock full of animated banner ads and make Mr. Gates and his highly trained engineers watch them as my refund. Can you say "Click the Monkey and win $500," Bill?
MS is just not paranoid enough about security issues. This stems directly from a single-user mindset and a lack of experience with multi-user and network security issues.
Unfortunately, they're too paranoid about potential competitors.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
I mainly use Windows to browse because it looks nicer (fonts)! After an hour or so of browsing I get sick of GUIs altogether and boot into (Debian GNU/)Linux, console-style. No fonts, no problems, not memory consuming, all good. I tweak, download new kernels, update my system, et cetera. When I feel like being in Linux and browsing, I use WindowMaker. I love the experience. And I don't drink beer.
What about the *nix, BeOs, and Mac?
Its not a question of stupidity but ubiquity. The idea is to make the source available.
Suppose that instead of an obviously-flimsy screen door, your house has an ordinary door with a keyhole above the knob, and you have a key that fits the keyhole. Say it's a very fancy, flashy model, with an electric sign that lights up "LOCKED" in big red letters, or "OPEN" in green letters, respectively, when you turn the key.
Suppose the people who sold you the house assured you that it was impossible for anyone without the key to open the door. To prove it, they turned the key and pointed at the sign, saying "See? It says "LOCKED", so it must be locked. The only way to open it is with the key, and only you have that, so you're perfectly safe."
Now, suppose that, in fact, the changing of the lights on the sign is the only thing that happens when you turn the key. There isn't even a bolt installed as part of the "lock" -- it just says "LOCKED", but the door is completely open for anyone who tries to turn the knob.
But, suppose that you trusted the people so blindly that it never occurred to you to try opening the door when it said "LOCKED", or even to look at the edge of the door to see the bolt. You just blindly believed the people who sold you the house when they said that the door could not be opened without the key. After all, the sign says "LOCKED", doesn't it?
Now, when someone walks in and robs you, surely he is still committing a crime, but don't you think the people who sold you the house are just a little bit to blame as well, since the security that they claimed to be selling you was in fact completely non-existent? In fact, isn't it even just slightly your fault that you were either too stupid or too lazy to take even the most basic measures to ensure your own security?
David Gould
David Gould
main(i){putchar(340056100>>(i-1)*5&31|!!(i<6)<< 6)&&main(++i);}
There are lots of security freaks, who dont do anything without encryption. I dont care so much what someone knows as long as it doesnt "appear" to impede me. If i feel secure and can do what I want to when I want, then I'm using that service. It is not an issue of education mom & pop. My mother would never have used a computer if not for aol. she will not bother with learning about windows let alone UNIX. Education is not the solution for large scale computer use, simplicity is. And there is where the true war is fought, ease of use and usefulness vs security and well designed. Shareware products tend to be much better designed and more secure, but Microsloth and AOHell tend to make more usable products no matter how lousy they are. Instead of trying to educate the masses, we as the development community should work on making highly usable and useful products for mom and pop.
There's a lesson here kids: 97 year old snowboarding grannies are the major web demographic for a reason :)
Yeah, right. We'd have encrypted mail if it wasn't for your government. -- "Yeah, right" is the only example of a double negative in any language
...postive
Sorry
Note that this time when M$ screwed up, it was with one of their services, which quite a few ppl rely on, not in their software.
Thus your discussion of OS is completely irrevelevent, hotmail is as usable as it is, without regard to OS or system architecture, although from what i hear it seems to favor only recent browsers.
Need a Catering Connection
So how did you come to choose hotmail over yahoo or any of the others. I use yahoo for the same reasons you mentioned, but I also like the fact that it is not such a haven for crackers and spammers (heck, MS wouldn't even delete the hotmail account that a trojan was emailing info to) and it seems to have a slightly better reputation. I loathe email from hotmail even more than AOL. Also, I can actually clean out my trash when I want to.
With Hotmail's security you don't need to clean out your trash - you just wait until an exploit is discovered and somebody else hijacks your account and deletes everything for you!
:-)
I don't see how you can attribute this recent exploit as being caused by MS having a single-user mentality.
I think you're just pulling out anything bad you've heard about MS and throwing it up in the air as an explaination for recent problems.
Get a life and learn about the current events, then maybe we'll get a reasonable post out of you.
Wired and ZD Net also have stories up that debunk Microsoft pretty well. I just haven't seen any stories that get it right in "mainstream" press yet, like Reuters, AP, CNN, or NYT. Any links? I would think that this is a story that has some legs still...
JimSo if I add "ttyp0" to /etc/securetty and disabled the root password on my linux box, who would take the blame for "breakins": Linux or me?
Regarding the ebay outages (which MS blamed on Sun), the problem was that Sun did provide patches, but the ebay admins did not apply them. Is Sun responsible?
-- Don't Tase me, bro!
Most people simply won't be bothered with
details so all they want to hear is good
news. Even if it's lying to yourself, it's
better than the alternatives: reading HOWTO's,
spending time experimenting, and actually
admitting to yourself you haven't got a clue.
Microsoft is doing them a service by providing
only news they want to hear. (Write HTML
without knowing it! Use WordProcessors with
ease! Simple database management! etc. etc.)
Only people who look further than the surface
can see Microsoft isn't living up to those
expectations.
People who care about computers use Unix.
Hopefully their number will grow.
I use it because it's easy, it's fast (yeah, it is, most of the time), and because I don't like giving my real e-mail address out. I use that address for actual work. I can't have a spam flood on it.
But my hotmail account is practically a throwaway account. If the spam ever gets too bad, I toss it and sign up for another. No loss to me.
Anyway, it is a good service, for a free one. Anyone using this for any sensitive info at all however, is an idiot.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
But I don't care about the security issue.
The reason is that all I use the thing for is web site registration where they require you to provide an email address. Like, for example, Microsoft.
This is the ONLY thing I use it for, and have never given it out anywhere else.
That account now gets 4 or 5 spams a day. I pop in every couple of weeks and clear them out.
In the meantime, my main account hasn't gotten spammed in almost 2 weeks.
So there is a purpose for a hotmail account, and I'll continue to use it. If some script kiddie wants to read my spam, I don't care.
Joe D
True, but if you remember the story here on slashdot about the Navy vessel (and one the larger crashes that occurred) that was ran by software running on top of NT, the blame was placed on MS for the OS, when the blame seemed to be in the application running on top of it. Do we blame the vendor just because we happen not to like them, and let another vendor off because they are general more respectable? How can a vendor guarantee the cluefullness of the developers writing applications for their platform?
This story is also front page news on at least the online versions of the two major British broadsheets, the Times and the Daily Telegraph. Both of the stories make it clear that it is Microsoft who is reponsible for the security breach (I don't believe that the Times even used either of the "-acker" words) and refer to other recent Microsoft security problems.
Jeff
Anyone want to bet that their 'fix' was to simply change the ip address of the machine that has the special access? I bet if someone tried hard enough that they'd find another machine with almost exactly the same problem (or maybe the same machine, but the url formatting changed slightly so the previous format won't work). Anyway, given how quickly it got 'fixed' and considering that it is MS that handled the problem, I doubt they have a real fix, probably just some quick hack to cover it up.
I just tried to check my Hotmail from work. When I logged in, I got a screen telling me that I couldn't get to my account because Hotmail had assigned an IP address to an earlier login (from home) and now I could only get to my mail from that IP.
What happened to the whole concept of webmail, being able to access your email from 'any computer in the world'?
I can't believe this could really be thier 'solution' to the security breach. I am so glad Hotmail is nothing more than a spam dump for me.
Jane
... And Heroine helps children sleep...
"I have no respect for a man who can only spell a word one way." - Mark Twain
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin
Yeah, right = negative so its two postives = a negative ;-)
at least they didn't try to pull that old
"not a bug, a feature" line.
Typical MS PR stuff... We admit a slight problem which we then fixed after being told about it... even though they knew about it hours before they admitted it...
Unfortunatly, I feel that there is no such thing as bad publicity... how many people that are new to the internet will take a look just to see what the Hotmail service is like, only to continue using it ? Quite a few, methinks...
Linux is not RedHat
Folks,
Does any one know how to close a hotmail account??
If you do, please pass the tip.
Thanks, Mike
Geez, they forgot to note how 'timely' and 'proactive' their admin staff was at pulling the plug on the site--- if my service had a hole so big that someone's blind grandmother could fly a 747 through it, that network cable would be disconnected so quick your head would spin... better to down the service for a few hours than to let everyone roam around freely... let the PR spin begin!!!!
Yes this is my real UID. No, it was not bought from EBay.
And I thought them calling Back Oriface a minor threat was bad.
If you think you know what the hell is going on you're probably full of shit. -- Robert Anton Wilson
jdube is who
By that reasoning, the only time RedHat should notify their customers of problems is when there's a bug or security hole in their installer, or some other RedHat-specific piece of their distribution. They bundle the kernel and all the various apps and tools and stick their RedHat Linux brand on it, so it's incumbent upon them to take responsibility for anything that goes into their distribution. If they're not willing to do that, they should yank the offending app from their product. For a company whose business model is almost entirely based on support and services, their response is not reassuring.
Cheers,
ZicoKnows@hotmail.com
The administrators of this site (Slashdot) made a point of not themselves publishing the URLs to the sites trafficing in the information needed to trespass. It's up to a legal body to determine if the fact that they then stood by and watched as users posted that information in forums they moderate implicates them.
Posting the specific details of a security exploit should not be illegal, especially when it is as simple as a URL. Software and security measures get better much more quickly when the details of an exploit are made public.
Many of the people who tried out the Hotmail exploit did so using their own account, or the account of someone who gave permission for the attempt. Those folks have nothing to worry about, and the other idiots will probably be saved by the sheer volume of break-ins.
Rogers Cadenhead (Web: http://www.cadenhead.org/workbench)
I can't believe that people would be pacified by this trite little statement. Microsoft should be collectively taken out back and shot.
Honestly!
My guess is that people jump on Microsoft when they screw up because it's funny. They have a pretty sleazy reputation.
Normally, I avoid "woo-hoo!" kind of posts. However, I just can't help it.
a a
Hahahhahahahahahahhahahahahhahahahahahahahahahh
ahhahahahahahahhahahahahahahhahahahahhahahahahh
It's ahhahahahhah a SO hahahahahha a FUNNY!!! hhahahhahahaha
hahahh
ahha
hah
ha
ha
h
-- Slashdot sucks.
While I agree that many people bash Microsoft because it is fashionable, I think that you have missed an important point about Microsoft.
Know why IE5 is better than Netscape 4? Have you been using a computer long enough to remember when Netscape 4 was better than IE3? If someone has a company that produces a product, and relies on revenue from that product to pay for further development of that product, and someone cuts off that revenue stream, development of that product ceases.
Now you need to realize that the revenue stream was not cut off because another company came out with a better product, but because a company holding a monopoly came out with a similar but free product, and used their monopoly to guarantee that 95% of all users already had that free product on their computer. (and in the case of WinNT 4.0 the user gets warnings about non-y2k compliance if IE4 isn't installed) Now go out and peddle your software... I bet you won't be able to hold onto 25% market.
Now add on to this that the company holding that monopoly does not have a history of innovation, but of squashing competition so it doesn't have to innovate, and I wonder where you get the idea that IE6 will be better than IE5. Is IE5 better than IE4, or do you just get a warm fuzzy feeling that you have the latest WinXX bug-fix installed. (yeah, right)
This brings me to the point that most young capitalists take that Microsoft must have the dominant market position because they make the best stuff, and therfore have the right to do whatever they want. (not saying that you said that, but this always goes there) Keep in mind that Microsoft got where they are by being at the right place at the right time, and having market savvy. They are now riding the wave of a massive installed base, and their primary interest is not a quality product, but to maintain market share and revenue, that they do by locking thier customers into an upgrade-cycle, and using thier monopoly to stifle competition. (not good for capitalism)
Just because you are only aware of the political part of the argument, doesn't mean that is all there is to it.
Sorry about the AC, but Rob never mailed me my p/w, and now when I try to create a login, it says it already exists. Oh well, maybe they should switch to MS Passport ;-)
Peter Dagen
dcom1123@yahoo.com
-- Which is worse: ignorance or apathy? Who knows? Who cares!?
Ok. First, Microsoft makes windows. Therefore it's only natural that *their* compiler/development integrates the best with *their* operating system. After all, they wrote it.. they know it's quirks better than a 3rd party company that has to lease info from them. It's a sad fact of life.
Second, the other compilers which you mentioned aren't nearly as much of a universal standard as Microsoft VC++ is. Thats what happens when you have a monopoly, microsoft used their leverage in the OS field to expand into other markets (development tools). Another sad fact of life.
Third, there is now an effort to port Mozilla/Win32 to DJCPP (a free win32 compiler).
And why are "Microsoft users such idiots" because Mozilla is compiled with MSVC++? That question doesn't make sense, but I'll take a stab at it. The average user doesn't really tell which compiler their web browser was compiled with, so they don't really get to choose which development environment it was written/compiled in.
...
Bitchslapped? Give Rob a bitchslap from bitchslapped.com.
MS spokeswoman Erin Sanford is quoted as saying, "The security of our system is paramount and it was necessary to shut down Hotmail for a short period to stop this difficulty. We will be looking at how the information which created this problem was made public."
So, MS is saying the publishers of the exploit are the ones responsible for the problem. No way could it be MS's fault!
typical
Whether Microsoft is "defending it's right to innovate" or "upgrading" "known issues", we who keep the facts should do the world a favor. Microsoft can't back out of it's confabulation of the truth... It is in too deep. They cannot admit to trying to defend their rights to make exclusive contracts. They cannot admit they are fixing bugs. So we must make them wear it. Like a scarlet letter "I". Insincerity. At every press conference, every question, every time their damage control tactics come up in a conversation, we bring it down like a hammer. Insincerity. Insincere behavior in marketing is as close to illegal as you can get without the Feds knocking down your door (wait a second... they are!). Noone likes to deal with an insincere person, one who tries to seem genuine only to get something out of you. Microsoft is insincere, and it won't stop being insincere until it's black heart stops beating (forgive the hyperbole). So insincere we should call them, and we should call them out on being insincere! -Ben
Hotmail explicitly asks when it needs information that personally identifies you ("Profile Information"). Hotmail asks for your first and last name, state and zip code (or country and postal code for non-U.S. residents), gender, year of birth, and occupation. You may update this information at any time from within your Hotmail account by clicking the "Options" button on the navigation bar, and then clicking on the "Personal" icon.
Really? I can update my gender and year of birth?
So.......you're saying that you keep a record of all your passwords on a Windows box?
....hmmmm....what's your ip address?
Well, they had a backdoor put to avoid the login screen, something VERY bad in a network environment, but fine in a single user computer. I do see the pattern.
In the case of the Navy vessel, the responsibility for the application crashing on a division of zero is clearly that of the application writers. They wrote the thing, it was their job to put in suitable checks and error traps.
On the other hand, an OS that crashes because an application crashes is no better written, and that IS Microsoft's responsibility. The OS should not be vulnerable to such knock-on affects, and should certainly have error traps of it's own.
In Hotmail's case, the OS was not broken. Nor was the web server. These performed their tasks admirably. The fault seems to have been in the CGI script, which is not the responsibility of the OS or web server programmers. The CGI script is the responsibility of those who wrote it. If, as others on Slashdot have alleged, the loophole was added at the request of Microsoft, then Microsoft shares the responsibility for that. Nobody else is responsible for Hotmail's CGI scripts, in any way, shape or form.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Here's the original story: http://www.gcn.com/archives/gc n/1998/july13/cov2.htm
and a quote:
"Using Windows NT, which is known to have some failure modes, on a warship is similar to hoping that luck will be in our favor," DiGiorgio said.
-- Don't Tase me, bro!
Are you implying that it's possible with other Operating Systems to just leave the machine sit there running and security updates are automatically applied.
That means there are sure a lot of people wasting time poreing over security newsgroups and lists, applying those daily patches and rebuilds to keep their Linux systems secure.
What's more, there is no reason to but Netware, because the next release of Windows1900 will have MS proprietary version of NDS, maybe, and it will cure your need to use anything besides micros~1 products, just think - one solution for everything and no thinking on your part! oh, and just wait for Janus...
Don't you think that if email went down on hotmail Saturday morning they'd call people in to fix it before Monday?
So why isn't a major security problem given the same priority?
Jim
Is IE5 better than IE4, or do you just get a warm fuzzy feeling that you have the latest WinXX bug-fix installed. (yeah, right)
Yes IE5 is better than IE4, it does CSS better for one.
I don't like Microsoft, but I'm not so jaded that I can't admit when the do something right (or at least better than before).
-funcused
Of course it won't. Internet Explorer 6 will likely be released solely to implement new (proprietary) "extensions" to web formats. Of course they will claim that they did this because so many of their current users were begging for it. And, incidentally, the new extensions will cause competing products to core/GPF/whatever. Very typical indeed.
"I have a good idea why it's hard to verify programs. They're usually wrong." --Manuel Blum, FOCS 94
When a programmer screws up and creates a buffer overflow do you object to calling the discovery of the problem hacking or cracking?
:)
Discovery of the URL that allowed entry was a crack.
After it was published, using it wasn't difficult enough to deserve the name "cracking". Even script kiddies would disavow it I'm sure. I'd personally judge Microsoft's statements about the "advanced web programming knowledge" required to access mail accounts a plain lie to falsely reassure customers.
Having a rogue script active on a machine can be called a mistake, not necessarily negligence. I don't know if they tested the service enough to escape negligence there. However, leaving customers vulnerable for 10 hours after the exploit was widely known is awfully hard to justify, and I think it can be fairly easily documented.
What part of "anyone's hotmail can be read or sent by anyone on the web" didn't you understand Mr. Gates?"
Jim
This has been mentioned several times. I think it's important to note that the ?acker's ability to vicariously write e-mail messages renders the question irrelevant.
It doesn't matter how much I payed for the mail service. If someone can represent themselves as me using the service then it could cost me quite a lot. The malicious intruder could reply to messages sent to me, delete important messages, subscribe my friends or business contacts to porn mailing lists, etc.
I'd say that, free mail or not, the amount of damage that could be done might easily exceed the cost of any mail service.
"I have a good idea why it's hard to verify programs. They're usually wrong." --Manuel Blum, FOCS 94
Maybe MS *should* send all of its Hotmail users a $0 check. It would at least be an admission that they screwed up.
Does this
You don't need to remember all the passwords, or at least, you will not have to. NDS and all i's ramifications, provide already a secure, encripted framework for delivering services on the Internet. Novell has many NDS-aware products, where you log into the NDS database, and then you have access to NDS-aware services. Of course, the level of access and the rights depend on who you are in NDS. So it IS possible single sign-on access to many different hosts (NetWare and non-Netware), Lotus Notes database, ERP software, and e-commerce sites with only one sign on. No, I don't work for Novell, neither for a company that has anything to do with their products. I used to work with NetWare and NDS until a year ago, and I respect them very much.
Also noteworthy is that HushMail released their source code.
If you ask me, it beats Hotmail hands down. :)
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
What bothers me most about this entire mess was the comment made by the microsoft spokesperson yesterday. Something to the effect of "exploiting this whole requires a detailed knowledge of web programming languages." It required knowledge of a URL.
I VE&js=no&login=ENTERLOGINHERE&passwd=eh
http://207.82.250.251/cgi-bin/start?curmbox=ACT
Simply replace ENTERLOGINHERE with the name of the account and it worked. This isn't even cracking imho. It's like when someone forgets to set a root password on a box that accepts root telnet logins. Typing "root" and hiting enter isn't cracking the box, it's stupidity on the admin's part. It's the same thing as leaving your car doors unlocked then complaining when your discman that you left on the front seat gets stolen. Microsoft left the proverbial door to hotmail unlocked.
The whole spin on this makes it appear to be "those bad hackers" attacking poor innocent microsoft. I'm sorry but accepting a URL as a form of authentication with no password checking is plain stupid. This reminds me of the at&t vs. mci story from a little while ago discussing how the two companies handled outages. at&t admitted to the problem and kept customer's informed about what was going on. mci blamed someone else and lost a lot of respect and possibly bussiness.
Microsoft needs to grow up and except responsibility for their mistakes.
-matt
How much did you pay for the Hotmail account? How different is the Spinglish in this message from any corporate non-apology?
Did we all somehow forget that Microsoft is a corporation? This is why Linux is here, and is thriving and growing.
The party's over
Microsoft was "awarded" the People's Choice Award by Privacy International, on April 8, 1999, for being the most frequent nominee presented by the public for intrusive practices and invasion of privacy.
No TOS can strip rights granted by state law. If it tries, the judge will simply declare that part (or all!) of the TOS unenforceable. That's why all disclaimers and TOS are careful to note that the customer "might" have rights under state law. (I use quotes because I think all states grant some rights.)
However, the baseline established by state law tends to be pretty low. Were you killed by the product, or seriously injured? You can probably sue, unless the industy is explicitly protected by state law. (E.g., Colorado ski resorts generally can't be sued by the family of skiers who die or are injured.) Were you inconvenienced? Tough luck.
*IF* Microsoft, as owner and operator of Hotmail, had denied that any problem existed and continued to insist that its email service was "secure" despite strong evidence to the contrary, it *might* be such gross negligence that state laws would be triggered. But I doubt lawyers could do much with the facts known today.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Security issues can be solved but design mistakes speak of incompetent developers which could lead to the thought that M$ has incompetent programmers/developers in other departments as well which could make you think that all M$ software is crap (why do I have the feeling that there is a lot of truth in this...).
Gery
------------------------------
The answer is yes, me.
...and IE6 will be one of their final steps to complete world domination. IE 6.65 will contain a feature called "Microsoft ActiveSeventhSeal", which will immediately be broken in version 6.66 to support the proprietary ARMAGEDDON tag.
--
Win dain a lotica, en vai tu ri silota
Very good point, though what exactly got screwed up is also of scientific interest. As well as the question of when was the screwed up code deployed: before M$ bought it or after?
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
>The am-utils package that they've been shipping is "being actively >exploited on the internet" to give root access on machines running >amd.
The key words here are "machines running amd." I don't run amd and nor am I required to. In fact amd wasn't even installed on my machine when I installed Redhat 6.0 -I did a custom install. Now if this was Microsoft I've would've had no choice. Software like am-util would've been installed by default even if I didn't want it on my machine. Also in case you didn't notice Redhat is informing people about the amd problems in a *VERY* public fashion, which is one of the reasons I like Redhat. On the other hand did Mircosoft inform *ANYBODY* about the problem with Hotmail? Nope. People really found out about it after the news (and it *DIDN'T*) come from Microsoft made it to Slashdot.
In other words, get lost MS-Flunky......
"Have you been using a computer long enough to remember when Netscape 4 was better than IE3?"
Yes. I have been using a computer since the CBM "Personal Electronic Transactor" was still a neat idea. I've been around for the entire life of the home computer revolution, both as a consumer and as someone deeply involved in the business. As such, I feel qualified to address (and make an expansive digression on) one of your next comments:
"Now add on to this that the company holding that monopoly does not have a history of innovation..."
I used to hate Microsoft (long before it became fashionable). I would have agreed wholeheartedly with the opinion expressed above. However, I think my long-term experience has modifed (perhaps mollified) my perspective. Here is my take, for those who care to read it, on why I believe that Microsoft is _THE_ pivotal player in the whole PC revolution (and I am not equating PC with "IBM compatible" or Political Correctness).
I started out my PC adventure using CP/M. I used to "pip" my files from one location to another, and used "ED" as my text editor. Digital Research wrote CP/M, and, yes, DOS is a clone of CP/M that Microsoft didn't even program themselves, but bought off of another company. Strike one against Microsoft and innovation.
Incidentally, in this extended ramble I am not arguing for Microsoft's innovation (when they _DO_ innovate - or when they blatantly steal - I will mention it, only because "innovation" was the core point of the message from which I have responded and diverged).
However, Microsoft did remarkably improve their CP/M-clone acquisition, and continued improving it for many years. When that "improving" stopped and bloat began is a subject of argument that I really don't want to spend time on. It is useful to note that Microsoft found themselves in this position because Digital Research fucked up. DR had the opportunity to supply the OS for IBM, but they dropped the ball and MS scooped it up. No, that isn't innovation on MS's part, but it is an early demonstration of the shrewdness which has allowed MS to remain the dominant player.
I spent many frustrating years as a salesman fighting against the MS/Intel duopoly. Almost any computer system on the market gave you more bang for your buck that did that combination. A lowly C64 was a better buy for many years than an MS/Intel machine. Still, the computer illiterate in those days, and many of the literate, were seduced by the letters I-B-M that was attached to the MS/Intel machines (and this included the clones and compatibles). They scoffed at graphics and sound. They were buying a BUSINESS machine for SERIOUS uses, and only someone interested in buying a TOY would buy THAT (THAT being anything which was better than what they were buying but not as magic, in their minds, because it lacked the association with IBM).
Digital Research dropped the ball again when they succumbed to bullying by Apple. GEM was a better MacOS copy than was Windows, but MS, either through bluster or negotiation (often the same thing) soon won the day with Windows. By Windows 3.1 they had invented a new market. So they copied the look-and-feel portion of another OS, and they got all of the credit. Strike two against MS for innovation. Apple _did_ deserve it, as they had ripped off Xerox and then bullied DR for following their example.
However, as before, MS improved their knocked-off copy until it was far superior to what they had copied (I expect that the Macintosh faithful will howl here). AmigaDOS was better, as was even the Atari version of GEM, but the IBM lemmings guaranteed that those systems would be marginalzed.
You know the rest of the story (maybe you already knew the preceeding. I don't know. But I felt the rehash was necessary to make my wordy penultimate point). Microsoft and Intel win the which-platform-has-the-largest-installed-user-bas
Anyway, for the penultimate point and the cause of this lengthy digession (Part I): the conformity that MS and Intel accomplished was a GOOD thing! Before, with the splintered market, computer technology proceeded at a snail's pace. Programmers had to develop for marginal platforms. This is very much akin to the VHS, Betamax and (in the UK) Philips 2000 days. Beta _WAS_ a better system, but fewer of the machines could be found in stores (there were no compatibles. Remind anyone of Apple?), so fewer titles were sold, and sales were hugely diminished. An inferior product wins. Just like Microsoft and Intel (Motorola had always produced a superior microprocessor).
Part II: So, Microsoft continued updating its products and OS to stay ahead of the competition (particularly their products. WordPerfect used to occupy the throne currently occupied by Word. Before WordPerfect, it was occupied by WordStar. Ditto Excel and Lotus and VisiCalc). It did NOT update products because it wanted to waste the money. I'm sure that MS would have been perfectly content to sell you the same product forever, never spending another dime on development costs. But competition drove the products forward. When products get bigger, they almost invariably get bloated. A (perhaps) nearly irrelevant aside: Think of StarOffice. What a bloated piece of shit. I hope Sun fixes it before they start hawking it as a viable aternative to MS-Office. No, wait, they don't have to - they can just hawk it as a non-MS alternative, and a certain large (and growing larger) market segment will come running.
Part III: Fatter products and OS's pushed forward hardware development. Accelerated it, in fact. Hand in hand Microsoft and Intel (and other conspirators) pushed the PC platform into the 600Mhz 13GB HD state that it is today. And I like it that way. If you don't want it or need it, there are plenty of 386's that you can buy at the Salvation Army or the Good Will or auctions, cheap, and Linux in console mode will run brilliantly. I, for one, am glad that it happened. A homogenized market is required for that type of development cycle, folks. And MS was/is the great homogenizer. "Oh, no!" some of you will gasp. "He is encouraging bloat to push the development of faster hardware!" No, I'm not. Bloat is never desirable. However, I maintain that it is often the BY-PRODUCT of rapid development, and that it produced some very desirable side-effects. I am grateful for my 380MZ PC with 64MB of RAM and 16MB Riva TNT video card. Do you think they would have come into existance without the market-collusion of MS and Intel? And, as the market matures (as it is in the process of doing now), alternative (better) OS's emerge which are leaner and use that fantastic hardware to maximum advantage. Then the cycle possibly repeats itself. We are only now nearing the end of the first cycle, so time will tell how it finishes. I mean, MS is very shrewd. It is relatively unlikely, but still possible, that MS will pull a rabbit out of its hat and surpise us all. It might be the victor in two cycles, this and the next.
As for MS innovation, I think that we owe the major improvments in browser technology to MS. CSS and XML were implemented by MS long before Netscape had thought about them. CSS in Navigator is shit. Now, I know that MS did not have pure motives. I don't care. But MS introduced CSS support (limited) in IE 3, and changed the entire picture. CSS support got better in IE 4 and 5, and now Opera and Mozilla are re-drawing the picture again. If (for their own greedy reasons, namely to wipe Netscape off the map) MS had not championed CSS, it is very doubtful that CSS and XML would be so integral to Mozilla. Score on for Microsoft innovation. Further, Mozilla would not exist if MS had not clobbered Netscape in the browser market.
Regarding MS's predatory tactics: all is fair in business, folks. We live in a free market economy. The company with the biggest stick and the most money wins, like it or not. We gave MS that stick by giving them our money.
Anyway, that closes this opus. I hope I see some thoughtful responses.
Neopets - the best free game on the Int
Anonymous cowards making incredible allegations about the "crimes" of people who dare to tell the truth in public carry absolutely no weight at all.
While you want to intimidate, track down and jail whistleblowers who have the integrity to sign their own statements and assume responsibility for them, I want you to enjoy your freedom to speak anonymously if you so desire to protect yourself from unlawful harassment because of what you have to say. As long as your statement itself doesn't involve a serious crime (and no, I don't consider simply informing the world about how crimes are committed one of those), anybody involved in the mere handling of your statements on your behalf should be required by law not to reveal your identity even before a court of law!
Such is the law in Sweden with respect to printed media, based on the principle that the publisher is solely responsible for what is being printed. Since Slashdot is an unmoderated medium, that principle can hardly be applied here, but that doesn't make the freedom it would yield any less desirable. I don't care that you don't have the slightest idea of what freedom of expression means, but I want you to enjoy that freedom as much as anybody else, because if you can't, then that freedom isn't worth a dime to anybody else either.
And, if you are still not convinced, please report my name and e-mail address to your nearest police officer, the FBI, Interpol, or any Microsoft lawyers you know. I'm a system manager at a Swedish university, and it's my job to protect the privacy of our users as well as the integrity of our systems against attacks from anywhere.
Privately, I'm sick and fed up with silly government attempts at controlling the spread of information, such as bans on cryptographic software, laws regulating the mere mentioning of named individuals in electronic communication, "copyright infringement" claims raised against proxy HTTP servers, software patents, police snooping on private mail and so on.
I freely admit to a strong desire to circumvent any technical or legal obstacles placed in my way for no legitimate reason at all, and pointing out security flaws in computer software or service configurations - even to the point where continued operation of said software or service is jeopardized - is to me a good deed for the well-being of man kind.
I have decompiled and studied binary code without regard to any copyright on it, simply to satisfy my curiosity. I have modified the Netscape Navigator binary (international version) and configuration to enable US-strength encryption as well as change the "license agreement" nonsense into something in line with Swedish law for the benefit of our students (we don't accept "shrinkwrap" licenses over here), without asking Netscape. I routinely press the "Accept" button whenever I install software at work or at home, knowing that it means approximately "null and void" to me. I may read the "license agreements" after installation, just for the fun of it. I have transmitted encryption software across national boundaries. I have exploited security holes in computer systems owned by others, without their authorization, to obtain useful results such as improved network connectivity.
I scoff at the obscene claims made by German authorities to "own" Adolf Hitler's literary works, and I'll gladly make and distribute copies of Mein Kampf or any other garbage he wrote whenever I feel like it. I conspire with my friends to change the ways things happen around the world, whether in politics or in business, not merely by voting in elections or participating in marketing polls. I believe I do all this in full compliance with the law and with judeo-christian ethics, but if I don't, I'm prepared to defend my actions in court.
I challenge you to report all the above to the appropriate authorities, simply as an experiment to show how futile that is, and how pathetic your remarks are. I promise you that I will not have you prosecuted for making any false accusations against me (though I cannot answer for any actions by others). Ain't I kind? Believe me, it's hardly worth the cost of a phone call.
No, I'm not giving you my residential address. I may be frank, but I'm not stupid. If you are serious, you could either ask my ISP Algonet (it's my primary private ISP, not a mailbox hideaway), or you could ask Datainspektionen, the Swedish government agency charged with maintaining the register of those who maintain databases with personal information, for the owner of registration license number 9999110043 (it's mine). Make sure to include ample copies of any evidence you have against me either committing a crime or violating anybody's privacy by storing their names electronically (I'll mention Bill Clinton, Börje Ramsbro, Håkan Nordquist and Tomislav Micic to give you a fair advantage). Good luck!
Jerk.
Gads, you really are an idiot. So NT users can't choose which services to run? Tell us another one. And yeah, RedHat's being so public about all their bugs the way they bury it on their website. Guess they wouldn't want all those Wall Street investors to be able to see how shoddy it really is.
As for informing people, thank you for showing the hypocracy that I'm talking about. The reason a lot of people here found out about the Hotmail problem here before Microsoft said anything about it is because Slashdot ACTUALLY REPORTED IT -- whereas they DIDN'T REPORT the RedHat problem. If they held RedHat to the same standard that they hold RedHat, most people here indeed would have heard about it here first; plenty of people knew about the problem before RedHat ever deigned to mention it. Nice try, junior.
Cheers,
ZicoKnows@hotmail.com
Does anybody remember the USSR's excuse for waiting nearly three days to announce the Chernobyl disaster to the world, even to countries directly in the path of the fallout? The accident occurred on a Friday (or a Saturday), and they waited until Monday because, they said, "the governments of most advanced countries are closed on weekends."
Hmmm. Hotmail and Chernobyl. Now there's an analogy I can live with...
--
This is not my sandwich.
> somebody else hijacks your account and deletes everything for you!
But they don't! They just get moved to a trash folder where it will, someday, be cleaned up. MS even advised users (that asked) to check if they had messages in there trash. If you had something sesnitive on your hotmail account and an exploit was discovered, you couldn't get rid of it. On Yahoo!, you can delete everything and them "Empty Trash". That's the point I was trying to make.
-- Don't Tase me, bro!
FUD. MSN Messenger has always used a password authentication to access Hotmail, (some of the early versions put it in plaintext on the local webpage that is ran), but that was fixed, its no longer clear.
So.. I hate to say it, but this "typical of Microsoft" thing is only in your mind, this time.
(Note: at various times yesterday during Hotmail's patching periods, any attempts to read your mail @ Hotmail via MSN Messenger failed, with 403 as the result. However, that hasn't been the case for well over 12 hours now)
Even MSNBC is reporting that the exploit only around for about only about 8 days, which was "before any damage was done."
The fact that the hotmail story never made in onto their main page (unlike everyone else) speaks volumes as well.
I guess MSNBC gets stories about 40 million email accounts being compromised all the time. Princess Diana death from 2 years ago is more newsworthy.
Please.
Hotmail cancels an account if not used for over 90 days, right? WRONG! Yesterday I could "log-in" (you know what I mean) into my own account I set-up only for testing more than 3 years ago. It was not MickeySoft-ed yet. The reason I didn''t log in in such a long time is not only that I didn't need to, I have even forgot the password! Well, yesterday I could have a look at my mails, one more time after years of absence :-) Of course, I had a look at the admin's mails, too. Didn't read any of them, I am a nice guy! (I just sent an e-mail as admin) Thanks Mickeysoft, I am looking forward for another funny event like this!
Actually, I think he said bug fixes were the least relevant reason to release a new version. Even worse than how you remembered it.
--
Fuck the system? Nah, you might catch something.
Hmm, let's see. Microsoft announced the problem on both Hotmail's home page, as well as on the home page of www.microsoft.com.
Now, what I'd like to know is: Why isn't Slashdot bitching about Redhat? The am-utils package that they've been shipping is "being actively exploited on the internet" to give root access on machines running amd. Wow! Something like that's just gotta be on RedHat's home page, right? Ooops. Guess not -- not a single peep.
So, after clicking on "Updates, Fixes, & Errata," I still see no warnings. Click on "Redhat 6.0." Click on "amd." Ahh, finally!
I dunno, but for a problem that's being "actively exploited on the Internet," you'd think that (at least by Slashdot's apparent standards), RedHat would be making a lot more noise about this. At least the Hotmail hole is no longer there.
Face it, you would've been bitching no matter what they said while giving RedHat a free pass on all the holes that have been uncovered in just the past month.
Cheers,
ZicoKnows@hotmail.com
This came to me from someone at Hotmail...
It had nothing to do with Passport.
A lot of press reports are confusing things.
First and foremost, the issue has been fixed & the utility that was used to access the Hotmail servers should no longer work. We were notified of this issue via the European press early yesterday morning and we began investigating immediately. During the investigation we took the Hotmail servers down completely so that the utility would not work & people's privacy would be protected. What we discovered was that the hacker found a formerly unknown bug in an old outdated CGI login script on the Hotmail server and used that to gain unauthorized entry to the system, and then posted the info on his site. Of course it's unfortunate that they chose this route to put people's privacy at risk rather than contacting us directly. We have fixed the CGI script and restored that service so that this approach is no longer effective. There has also been some confusion about whether this is related to Passport - it isn't. It was completely contained to one specific CGI script, unrelated to Passport.
We all know that Hotmail runs on a *BSD/apache platform.
However people have said that it was the passport side that was broken, and this is a newer feature, which is used across several services. This raises questions (to me at least):-
So many questions, so little chance of answers :-(
Was anything about the technique posted by the crackers?
"Shut up you big stupid."
:)
Obviously a comment from a microsoft stockholder, disgruntled NT admin (god knows I would be, if I had to work on that godforsaken abomination 40 hours a week), or an idiot in the Navy who recommended moving from UNIX to NT
It is pitch black. You are likely to be eaten by a grue.
thats an interesting slant but lets face it -- linux is easier to use than most unixes and you simply dont have either the knowledge or capability to use it (unix).
What I find hilarious is the media reports that the site was "hacked" or "cracked" when this whole thing is the fault of some incompetent CGI programmers.
The sad part is that 99% of the world doesn't understand the problem, so press releases that say "security issue" and "everthing is ok" will be heeded by the masses.
Why can't Microsoft just own up and admit theat they screwed up. And then fire the idiots that wrote the code in the first place!
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
Is it just me, or does it strike anyone as odd that uSquish claims to have fixed a code-level bug (as opposed to a bad config script) within a few hours?
IMHO, the only thing you could do for a security hole in that time is move it to another part of the code, and hope that you can actually fix it before someone else notices the problem. Does anyone know what Microsoft claims to have actually done?
Now I don't have definative proof, but a comment above stated that this was not a bug, but a deliberate security hole put there by Microsoft to allow MSN Messenger the ability to log in to Hotmail without a password. With all of the warring going on between MS and AOL, it's pretty believable that this could be exactly what happened.
They admitted the problem but completely downplayed it. It's a hair short of flat out lying about it. That is not the kind of behavior you'd expect from any other multi-billion dollar corporation, but it's what we've all come to know as typical arrogant elitist MS speak.
--- A Jesus Fish eating a Darwin Fish only proves Darwin's point.
yep. linux has an automatic updater and (from what i hear) so does BSD. HP UX also has something similar and SGI can be auto updated with an install script. dunno about solaris. BTW, you can d/l the linux updater from rufus.w3.org for redhat..debian has one anyway i think.
Check out "gpasman"
http://www.student.wau.nl/~olivier/gpasman/
I assure you that I have both the knowledge and the capability. But ad hominem attack is easier than a thoughtful reply, which is why you used it. Much better would have been a reponse along the lines of:
"X should have font-rendering in version 4, so there is one of your quibbles taken care of," or something else that would have been germane and constructive.
Neopets - the best free game on the Int
Not using Hotmail is an option, but people may still be sending mail to your account successfully during the 90 day period. I'd prefer immediate deletion so the mail would bounce and the sender would know something is wrong with the address.
a) Speed. Yahoo is slow as hell from most places I check e-mail.
b) At work I am forced to use Outlook Express (on NT4! Bleeeech!). It can directly check my hotmail account. Easy, and it works well.
c) Yahoo sucks. Yahoo has sucked for a long time. I dont ever use Yahoo for anything at all, ever, just on general principle. Ever since Yahoo started offering EVERYTHING, I stopped using it. A site should do one thing and do it well, IMHO, and I hate these so called "portals" that try to do every damn thing. Yahoo mail, yahoo auctions, yahoo friggin' maps... The hell with it, fuck yahoo.
anyway, just my opinion.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
I am quoting from
http://www.w3.org/Security/Faq/wwwsf4.html
"HotMail
The CGI scripts that run the popular HotMail e-mail system use a flawed security system that allows unauthorized individuals to break into user's e-mail accounts and read their mail. This problem is known to affect the version of HotMail that was in place as of December 1998. For further information, see these links:
http://email.miningco.com/library/nus/bl120898-
http://www.geocities.com/ResearchTriangle/Lab/6
Specifically the first link..
Quoting from that link..
"Hotmail Accounts Easily Accessed by Hackers
Hotmail is still extremely vulnerable to hackers who try to gain access to other people's email accounts, Shailesh Govekar and Krishnan VenkataRaman, software engineers at Lisec Software, have found out.
It may be easier than you think for other people (malicious or not) to read your (Hot)mail. They do not even need your password. All it takes is a URL and the user whose email they want to read to be logged in.
Sneaking the right URL out of Hotmail's database is easy and can be done at any time with only the user name of the account-to-be-hacked.
On their Web site Govekar and VenkataRaman describe the necessary steps in detail. A URL looking like http://www.hotmail.com/cgi-bin/password.cgi?login
If, for example, we insert "exhibitio" as the username, the URL is http://www.hotmail.com/cgi-bin/password.cgi?login
The problem is that Hotmail uses neither HTTP authentication nor cookies to ensure an account is accessed only from the computer that originally logged in to the account. "
Now, Lets take this evidence against Microsoft's Pr crap..
EOF
http://www.hotmail.com/cgi-bin/password.cgi?log
and all i got was an "Internal server error" message, not an "invalid password" or anything similiar.. Makes me wonder, vaguly, if there is still something to this bug.. I doubt it, but might be worth looking into.
Server Name: lc3-lfd63.law5.hotmail.com
Your Browser (User Agent) = Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)
Last Task (ScriptName) =
RequestMethod = GET
QueryString = login=ACCOUNTNAME&curmbox=active
EOF
I think anything short of full disclosure in a situation like this is insulting. It's clear from the exploit that a "back door" was designed into the system; the "crack" was that someone simply "leaked" the argument string to open it. For all we know, their "fix" was to change the backdoor password from "eh" to "he." I think a corporation has a responsibility to say exactly what happened, why it happened, and what they did specifically to fix the problem. Pretending that the system suffered a little glitch but it's all better now just doesn't cut it.
Um no. A few hours IS fast by the Microsoft clock. Remember, their programmers are not capable of releasing a simple fix to their web server or a dll without a few weeks to "test" and such. So this is a fix in record time, IMO.
So don't use Hotmail, there are free email providers all over the internet. Mail.com is good, if you don't like the web-based service you can have it forward your mail to another account.
Are you expressing an intent to commit trespass, or just kidding around?
I just can't believe that anyone would use their credit card number in unencrypted e-mail...web-based e-mail no less, and expect it to be secure.
To borrow his, erm, colourful metaphore, he not only bought the soap, dropped the soap, and bent over to pick it up, but also wiggled around a bit and yelled, "Come on in, boys!"
Just because something "works" 99% of the time doesn't mean it is a good product. Microsoft FrontPage "works", as in it generates a web page with minimal effort, but it does not "work well" because much of the HTML it generates is garbage (and sometimes invalid, e.g., you don't put bold tags around paragraph tags). Some people prefer the right way over the easy way.
"...and heorine helps children sleep ..." Well it does ... still , I get the point .
"Microsoft was notified early Monday morning (August 30,
1999)
Maybe the company only operates 9 til 5 in one timezone.
Isn't their HQ in the west of the USA, thus putting them behind
Asia, Africa, Eruope and most of America...
IMHO, the Microsoft spinmeisters must have been asleep on this one.
Why, you ask? Well, I was up late last night reading and listening to the radio and the news on one of the local mass-media radio stations ran the story on the Hotmail security hole. More and more people are going to start hearing more and more about the gaping security holes and start questioning whether they want anything to do with MS software. Those who already understand why the lastest virus scare is a problem and how it works must already be asking themselves ``Why did I spend my hard earned money on this stuff?''
(Normally I despise the news media feeding frenzies but when it's directed in the right place, it's actually sort amusing. We may not be seeing one just yet but MS has a few cuts and there might be enough blood in the water...)
CUR ALLOC 20195.....5804M
(Channel 4 News is one of the major news shows on in the evening on UK tv. It's main plus-point is the anchorman Jon Snow, who is pretty damn good at asking nasty questions)
They had a rather ill-informed report, mentioning the Cult of the Dead Cow and Back Orifice, and then went on to a head-to-head between the MD of MI2G and some woman from Microsoft.
Unfortunately, neither the MI2G guy or Jon Snow actually pinned her down to anything, and let her get away with the party line of "Isolated incident.. not a problem.. all the fault of the hackers.. E-mail's never secure anyway."
He almost got her on a few, like "Wasn't the service up for a while after you noticed before you pulled the plug", but didn't follow up when she fluffed him, and they didn't bring up the possibility of it being Microsoft's fault/responsibility. Jon Snow finally summed up with a "Let the viewers decide" line.
Bit of a shame. I feel they didn't really research it too well. Jon Snow did a Bill Gates interview once, and asked him something like "Your personal fortune could supply running water and good sanitation to every person on the planet. How do you feel about that?" Ended up making Billy-boy seem like the devil incarnate. =)
But on CNN Headline News last night, the anchor announced that "CNN Interactive has discovered a security problem at Hotmail".... They *discovered* it? As in, they read about it on Slashdot? ;-)
Personally I think your points are all valid. I have to do tech support for windows all day, I don't use windows because its the OS that I have to support all day. When I come home, I don't want to see WORK on my computer.
I am often asked about Linux because I use it, and many of our customers are very interested in switching (mostly because of the "I hate Microsoft" and not because "Linux is better" - although, to define "better" I admit requires a more subjective description which I think you know enough about already.)
I freely admit that I dislike windows, but the thing that is currently keeping more people away from Linux is that it is different from Windows, and yes, more difficult to use (for now). Companies such as Red Hat (and others!) are fixing this, and yet certain members of the Linux community hear about this and immediatly scream "Red $hite SuX0Rs!" Well, we still have some way to go I guess.
I am not going to specifically respond to any of your points however, because they are valid. If YOU dislike the tarball/RPM conflicts for example, you are certanly entitled to. But Linux is always improving. I am patient. I just hope to be here to welcome you when we get these things fixed, so we can have our beers and relax.
Cheers!
Try to hack my 31337 firewall!
A more charitable reading of that is, bug fixes do not constitute an entirely new version of software. That is, adding service packs / hot-fixes should normally not boost the version number.
That's not quite true, since certain SPs have mattered a lot in terms of functionality (e.g. IIRC, NT DX3 support came in a service pack...), but it's why you don't hear that suddenly MS released MS Windows NT 4.39.110+ or so. Release a patch, but it's not a full release; they're not going to ask stores to discard their stock and issue newly mastered versions; and it's not going to be billed as another "release".
That's the same way that, say, most Linux distributors (probably all), do not increment their version numbers for every single Errata patch and make sure to add more features before calling it a new release.
Only the dead have seen the end of war.
Let's just throw away all the fanatical, biased crap for a minute and think real long and hard about it from a business standpoint: If you say something like this, your credibilty will be forever shot, and you'll probably never recover. As much as you and I would cackle with glee over the demise of MS, only an utter idiot would expect that any company would release such a self-destructive statement.
You might argue that nobody has any confidence in MS as it is, so why would it matter. Of course, that would be incorrect. I have no confidence in MS's abilty to market a secure, reliable product. But, I assure you, there are plenty of people out there that don't know any better. If there weren't MS wouldn't be making money.
So, we come back to the crux of the issue: MS borked things up real bad. There are a couple different ways they could have dealt with it. While shifting the blame from themselves to the scapegoat of "evil hacker guys" isn't very accurate, it didn't get the usual microsoft treatment of 'That's a feeeeeeeture'. Or simply ignoring it. Or fixing it and not saying a word about it.
I guess what bugs me about the whole ordeal is that instead of focusing on the fact that they built themselves a gaping security hole that they either never bothered to check for, or found and left alone until someone else pointed it out, everyone is nitpicking on their announcement. And that announcement isn't half as bad as some of the others that I've seen from other companies. At least they didn't say "we can fix the bug for any customer that can prove they really need the extra security afforded by a password". :)
MSN Messenger uses your Hotmail password to log on to the Messenger server. The reason why it doesn't have to ask you your Hotmail password is because it already used it to log you on to Messenger. Logging into Hotmail from MSN Messenger still passes your password, they just wised up and encrypted it so some retard couldn't stop the browser mid-logon and see your password in the page source. It amazes me that people shovel allegations about software that they obviously haven't used and don't know a damn thing about.
Microsoft was notified early Monday morning (August 30, 1999)
Sunday morning according to the Swedish paper that broke the story that day. But then maybe they don't work weekends, the lucky sods.
Please note that no action on your part is necessary to take advantage of the updated Hotmail
Wow, thanks.
Chris
Chris Wareham
It's obvious what caused the problem: The MSN messanger *COULD* (it can no longer) access your hotmail account without a password. This hole was intentionally put in a few weeks ago to make this possible. With this hole gone, the messanger can no longer accomplish this function. I wish someone in the media would note this little design feature. This sort of thing is typical of MS.
The only way to cancel your hotmail account is not to use it for 90 days. That is a bunch of crap!!!!!
Actually, the thing that most annoyed me about the notice posted by MS was about how quickly they reacted. Waiting several hours after a problem of this severity is reported and verified, and then patting yourself on the back for reacting quickly is not ethical behaviour.
Also, they were quoted on CNN (I think) that none of their users had complained, so they hoped that the effect was minimal. I know that I, for one, sent an email informing them of the problem, and urging them to take it down until it could be fixed.
My suggestion for MS? Come out and admit that they screwed up, and badly. A little honesty would go a long way.
---
"Go Metallica. Die RIAA." -- Linus Torvalds
Wasn't Bill quoted in an interview with a german magazine last year to have stated (and i'm paraphrasing from memory here) that "Bug fixes are not a significant reason for a new version of a piece of software. The only reason to release new software is to introduce new features"...
Considering Microsoft's track record, I suppose this explains a lot...
Ok, so maybe the wording was a bit vague regarding the extent of the security breech, but Microsoft admitted they door was open. So I'm gonna demand a *Full Refund*. Maybe I should gather together with a group of like-minded folks and storm the offices in Redmond :)
... yea, that's right the headline was "Hackers open big hole in Hotmail" although the story has little content. maybe people will drop Hotmail... hmmm no that would be too smart of them.
nmarshall
#include "standard_disclaimer.h"
R.U. SIRIUS: THE ONLY POSSIBLE RESPONSE
nmarshall
The law is that which it boldly asserted and plausibly maintained..
--Colonel Burr 1783
But does anyone else?
Sure, the technically minded people in the world realize that this is PR, and that M$ is chock full o'holes. With macro viruses, Back Orifice, hotmail, the ping-o-death and a slew of other issues that are never quite 'resolved' in the technical sense, the computer professionals and an increasing number of knowledgeable users are more and more sying away from M$. The success of Linux is a testament to that.
But the vast majority of the computer users out there, the ones that think Microsoft is the only software company out there, the ones that subscribe to Microsoft Internet and download a new version of the Internet everyday, and fax by holding the paper before the monitor, and complain when their cup holder breaks... They're the ones who pay good money into M$ coffers, and fund the bloat-fest and PR campaign.
M$ made the PC accessible to virtually everyone, and now preys on the ignorance of the averabe user. What's needed is an organized effort at educating the mom-n-pop computer user. What's needed is a way to tell the truth, because M$ fails to do so.
-- What you do today will cost you a day of your life.
Questions such as, 'Do Microsoft have any idea what security is?' Note that published reports is why you would be aware of this, certainly not from M$ itself.
Normally? Uh oh, that's scary. It was working normally before...
Unfortunately, it doesn't.
I don't find it reassuring that any company would take a long time to decide to bring down their service if they knew there was a major security risk. I'd feel much more comfortable knowing that a website on which I have private information stored will bring their service down immediately instead of compromising the integrity of my data.
Just sit back and trust us. Really, it's fixed! Don't take action! I like the way they say, 'continue enjoying the benefits of Hotmail with full privacy and security'. That slays me. Is that 'You can continue from now on to experience full security and privacy', or 'You can expect the same security and privacy in the future'?
Next month: your mail now secure from your 14 year-old sister!
Ok, I'll stop now. This ain't Microsoft-bashing, it's pampering PR-bashing.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
So how did you come to choose hotmail over yahoo or any of the others. I use yahoo for the same reasons you mentioned, but I also like the fact that it is not such a haven for crackers and spammers (heck, MS wouldn't even delete the hotmail account that a trojan was emailing info to) and it seems to have a slightly better reputation. I loathe email from hotmail even more than AOL. Also, I can actually clean out my trash when I want to.
-- Don't Tase me, bro!
While I dislike MS, I must admit that yahoo is a hotbed of spam.
re : why people argue...
;)
It's very simple - it's fun.
Wouldn't life be boring if everything was the same, people were the same, and there was no variation whatsoever.
If I agree with someone, it's because I feel the same as them. If I don't, then fair do's - it's my life and sod the rest of you.
Do you find it boring when you talk to people that have exactly the same views as you, and you can do nothing but to agree ? Explaining, reasoning, contemplating... human nature surely.
I'm not from the US so I'm not going to go on about my rights. However, it *is* a right to disagree with other people. Come up with a few good reasons why not and I'll think about it... maybe even agree
For the record, I don't use Linux because it isn't ready to meet my needs. The font-rendering in X is shit, and the installation/removal of software is still mired in RPM/tarball feuds. When browsing the web is as enjoyable in KDE or Gnome as it is under Win32, and when I don't have to spend half a day searching for the components and RPM's on Rufus, etc., I'll gladly switch. It is faster, cleaner, and cheaper. But it still isn't a consumer product. And no, I'm far from a computer newbie. I like fiddling with my OS. Utilities and tweaks float MY boat. Still, I don't want to deal with any of that shit when I've come home from work after a long day and want to install some new toy that I've downloaded off the 'net. Maybe I read about it on Freshmeat. I go to the respective website, and it is there, but the author is of the opinion that RPM's or similar are for "lamers," so he doesn't distribute the program in a convenient form. Or is is uncompiled. Fuck that shit. I've been at work twelve hours, my dinner is cold, and I haven't had my first beer. I certainly don't care about software boffin Linux-Purist's politics. So what do I do? I re-boot into Windows and download a program for that much-reviled OS and install it with a mouse-click while I drink my beer.
'Nuff said.
Neopets - the best free game on the Int
No, someone in the Pentagram has recommended DoD shift from non-NT to NT. Air Farce is doing it too, as is the Army.
I like it. Take a perfectly good working system and replace it with a much bigger, but less working, system...
Oh well, at least someone at the DoD can now say that they're using "commercial off-the-shelf systems" (and they probably own lots of MS stock).
The German magazine was "Focus" and this was the quote:
"New versions [of programs] are not offered to cure faults. I have never heard of a less relevant reason to bring a new version on the market."
Pretty much sums up all their bug handling...
-mparcens
~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript Error: http://www.windows2000test.com/default.htm, line 91:
news.com reported that "According to the source code of the U.K. Web page, the "Hotmail Login ID Storage Program 1.1" was written by Michael Nobilio on June 7, 1998." This seems to be where the BCC got their information, directly or indirectly. I've also heard that this crack was passport related, which was only implemented this weekend. Any info?
Their poll on cnn.com is "Does Hotmail's hacker problem make you less likely to use a free e-mail service?" I would say, "No, but their security problem does".
I wouldn't necessarially trust the time stamps on web files as a true indication of their last modification dates.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
Oh, please.....
It's funny that no one in the media seems to have figured out that hotmail runs on non-MS platforms (Sun?). Usually the software and hardware vendors are quickly blamed (eg. the ebay outages).
It's a neat little situation MS is in. On one hand, it's a perfect situation to poke at a competitor, on the other hand, MS sure doesn't want to admit too openly that it's not using its back office products.
I was astonished. Sound, sensible comments from a news service??
The other thing they said was that lawyers were looking into this, to see if Microsoft is in any way liable. After all, the problem was caused by negligence on their part, not some obscure bug or a skilled, daring cracker raid involving top security experts. Apparently, the TOS states that Microsoft is never at fault for anything that happens, but the reporter seemed to imply that not everyone shares that view.
Assuming this isn't sensationalism by CNN, this story could get even more interesting, and possibly spell doom to the disclaimers liberally splashed over all software and online services.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Is this really true?!
OK, so everything's all patched up now, right?
That's fine. Until, that is, the next time they implement some sort of new feature that does not play well with the existing aspects of the code, and something like this happens again.
There are trade-offs between security and convenience, and there are legitimate gray areas. For instance, I use cookies to stay logged in to
All that said, however, there is NO excuse for the Hotmail situation.
"Somebody exploded a letter-bomb today
Check out James Gleick's classic essay:
http://www.around.com/microspeak.html
D
----
"Please note that no action on your part is necessary to take advantage of the updated Hotmail."
Microsoft expects everyone to be socialized to believe that the default expectation is that it actually IS NECESSARY to take action to take advantage of a patched bug. ha
"Please not that no action on your part is necessary to take advantage of the updated non-spontaneously-combustible fuel tanks in Ford Foobar"....
It's 10 PM. Do you know if you're un-American?
Wow, really? Yesterday we could "take advantage of" Hotmail with a very simple action. Now it requires no action whatsoever? I'm impressed; these Microsoft guys make themselves easier to take advantage of every day.
A voice of reason !!!
But seriously You may have an idea here. What is need is a Slashdot lite for the tech. impaired(average user). Maybe you should start a thread on this. Of course the real challenge is goin to be getting the information ou t where the average person can read it. Like links from Netscape and Microsoft(not likly) or Yahoo directly.
The Truth is somewhere.
It would be absurd to suggest MS should say "we suck." In fact, that would be just as bad because it would still obscure (or at least not reveal) the facts. At the very least, they should have a link from the PR letter to a technical description of the problem and exactly what steps they took to fix it.
If consumers don't hold corporations to standards of disclosure, corporations will continue to evade and obscure responsibility.
This is the perfect definition of Hotmail
David Wagner, a computer security researcher at UC Berkeley, called the incident "really embarrassing" for Hotmail and Microsoft.
"I've always said don't use Hotmail for anything that is at all personal because we have no idea if they have any commitment to security," he said. "Now I'd say we know they have no commitment to security."
Wagner's advice is simple: "Don't use Hotmail for any e-mail you would be embarrassed to see as a headline."
So long as your technology does whatever your job is, and you are happy with it, then why bitch about the rest of it?
We all tend to be a bit spoilt in this forum, and get on our high horses about needless trivia. Is the hotmail thing any different? Perhaps, as it has had a benificial effect of opening a few peoples' eyes as to the possible security implications of email, and the internet in general. We are not all as fortunate to know all the implications of the technology that we use. If a few people now realise that they can get stung out there, then maybe it will save someone getting ripped off by sending their credit card number, unsecured, to someone undesirable. Does it matter if we use Microsoft, or Redhat, or whatever-is-K00l-this-week, so long as the message remains: Lets be careful out there!
just mellow out a bit, dude :)
So we're talking about a cgi error on a Solaris box whereby *yawn* the password is not tested in the array? And so, another *YAWN (excuse me)* opportunity to seize Microsoft's tradmark duplicity . . .
Jabber declaims:
Ve-a knoo better. Boot dues unyune ilse? Soore-a, zee techneecelly meended peuple in zee vurld reeleeze-a thet thees is PR, und thet M$ is chuck fooll oo'hules. Veet mecru furooses, Beck Ooreeffice-a, hutmeeel, zee peeng-oo-deet und a sloo ooff oozeer issooes thet ere-a nefer qooeete-a 'resulfed' in zee techneecel sense-a, zee cumpooter pruffesseeunels und un increeseeng noomber ooff knooledgeeble users ere mure-a und mure-a syeeng evey frum M$. Zee sooccess ooff Leenoox is a testement tu thet. Boot zee fest mejureety ooff zee cumpooter users oooot zeere-a, zee oones thet theenk Meecrusufft is zee oonly sufftvere cumpuny oooot zeere, zee oones thet soobscreebe-a tu Meecrusufft Internet und doonlued a noo ferseeun ooff zee Internet iferydey, und fex by huldeeng zee peper beffure zee muneetur *Bork Bork Bork*, und cumpleeen vhee zeeur coop hulder breeks... Zeey're-a zee oones vhu pey guud muney intu M$ cuffers, und foond zee bloot-fest und PR cempeega. M$ mede zee PC eccesseeble tu furtooelly iferyune, und noo preys oon zee ignurunce ooff zee eferebe-a user. Vhet's needed is un oorguneezed iffffurt et idooceteeng zee mum-n-pup cumpooter user. Vhet's needed is a vey tu tell zee troot, becoose-a M$ feels tu du su.
One of the worst things you can do, in my experience, is come out and say "Wow. Our system got totally borked, because we didn't think things all the way through and anyone who wanted could read your private mail. Oh, we fixed it, by the by." Sure, you can't deny that there was a problem, but you also can't run around proclaiming to the world that the sky is falling, or you loose any shred of confidence that anyone might have had in you.
This was a fairly serious security breech caused by the implementation of a system before it had been throughougly tested or thought-through. That is inexcusable. And you can't just fix it and then never mention a word about it -- that undermines your credibility as much as a 'chicken little' reaction. Given the circumstances, I think it was a very appropriate response. They admitted the problem, they admitted responsibilty for the problem, and they issued assurances that the problem is fixed, and gave the usual drivel about being comitted to privacy and all that.
As fluffy and irrelevant as all that may sound, when it comes to marketing/crisis handling, I think it was about as responsible as you can get. It certainly beats the usual 'feature-not-a-bug' argument, or the 'gee, it's because our Cisco routers got upgraded wrongly', or 'problem? what problem?'.
Can anyone confirm this? Forgetting to check a login at the top of a script is bad, but intentionally doing it is worse... and it would make a nice news article!
is that the more MS steps into the real networked world, the more we see this kind of screw-up. It all goes back to the mind-set at MS - it's fundamentaly a single-user mentality. This is not a hard concept for people to grasp - even for journalists and average users, who after all use MS products for the most part as single users.
I sure wish someone would point this out in a big way.
"Well, MS products are not secure in the real world 'cause they, MS, don't really understand mulituser, networked topology."
Simple.
"shop smart:shop s-mart" ash
.
Chuck
try { do() || do_not(); } catch (JediException err) { yoda(err); }