Slashdot Mirror
Update: MS Says Hotmail "Security Issue" Resolved
Bartleby writes "Here is MS's letter about the 'service issues that have generated questions about security.' A textbook example of PR-driven understatement. When my colleague and I logged in to his Hotmail account with no password using simple HTML, we thought it rated a little higher than a 'service issue.'" Previous Slashdot story about this Hotmail 'service issue' here.
Even CNN was buying this.
I fully expected MSNBC to spout this company line but I was a little surprised that CNN just regurgitated this woithout doing a little digging themselves. (tsk, tsk)
I think what I heard was "some web sites posted codes which allowed visitors to gain access to user's e-mail accounts without their permission. Once the code was made available, it began appearing on many web sites until Microsoft took action to stop the unauthorized access".
Bleah. Should have been along the lines of "a security hole was discovered which allowed others to access hotmail accounts without requiring a password of any kind. This information was quickly shared on the internet and several web pages were posted with the necessary information to allow visitors to easily access hotmail accounts. Microsoft took hotmail servers down until the security hole was corrected."
Crap.
MS spokeswoman Erin Sanford is quoted as saying, "The security of our system is paramount and it was necessary to shut down Hotmail for a short period to stop this difficulty. We will be looking at how the information which created this problem was made public."
So, MS is saying the publishers of the exploit are the ones responsible for the problem. No way could it be MS's fault!
typical
In the case of the Navy vessel, the responsibility for the application crashing on a division of zero is clearly that of the application writers. They wrote the thing, it was their job to put in suitable checks and error traps.
On the other hand, an OS that crashes because an application crashes is no better written, and that IS Microsoft's responsibility. The OS should not be vulnerable to such knock-on affects, and should certainly have error traps of it's own.
In Hotmail's case, the OS was not broken. Nor was the web server. These performed their tasks admirably. The fault seems to have been in the CGI script, which is not the responsibility of the OS or web server programmers. The CGI script is the responsibility of those who wrote it. If, as others on Slashdot have alleged, the loophole was added at the request of Microsoft, then Microsoft shares the responsibility for that. Nobody else is responsible for Hotmail's CGI scripts, in any way, shape or form.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
What bothers me most about this entire mess was the comment made by the microsoft spokesperson yesterday. Something to the effect of "exploiting this whole requires a detailed knowledge of web programming languages." It required knowledge of a URL.
I VE&js=no&login=ENTERLOGINHERE&passwd=eh
http://207.82.250.251/cgi-bin/start?curmbox=ACT
Simply replace ENTERLOGINHERE with the name of the account and it worked. This isn't even cracking imho. It's like when someone forgets to set a root password on a box that accepts root telnet logins. Typing "root" and hiting enter isn't cracking the box, it's stupidity on the admin's part. It's the same thing as leaving your car doors unlocked then complaining when your discman that you left on the front seat gets stolen. Microsoft left the proverbial door to hotmail unlocked.
The whole spin on this makes it appear to be "those bad hackers" attacking poor innocent microsoft. I'm sorry but accepting a URL as a form of authentication with no password checking is plain stupid. This reminds me of the at&t vs. mci story from a little while ago discussing how the two companies handled outages. at&t admitted to the problem and kept customer's informed about what was going on. mci blamed someone else and lost a lot of respect and possibly bussiness.
Microsoft needs to grow up and except responsibility for their mistakes.
-matt
No TOS can strip rights granted by state law. If it tries, the judge will simply declare that part (or all!) of the TOS unenforceable. That's why all disclaimers and TOS are careful to note that the customer "might" have rights under state law. (I use quotes because I think all states grant some rights.)
However, the baseline established by state law tends to be pretty low. Were you killed by the product, or seriously injured? You can probably sue, unless the industy is explicitly protected by state law. (E.g., Colorado ski resorts generally can't be sued by the family of skiers who die or are injured.) Were you inconvenienced? Tough luck.
*IF* Microsoft, as owner and operator of Hotmail, had denied that any problem existed and continued to insist that its email service was "secure" despite strong evidence to the contrary, it *might* be such gross negligence that state laws would be triggered. But I doubt lawyers could do much with the facts known today.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Now I don't have definative proof, but a comment above stated that this was not a bug, but a deliberate security hole put there by Microsoft to allow MSN Messenger the ability to log in to Hotmail without a password. With all of the warring going on between MS and AOL, it's pretty believable that this could be exactly what happened.
They admitted the problem but completely downplayed it. It's a hair short of flat out lying about it. That is not the kind of behavior you'd expect from any other multi-billion dollar corporation, but it's what we've all come to know as typical arrogant elitist MS speak.
--- A Jesus Fish eating a Darwin Fish only proves Darwin's point.
Actually, the thing that most annoyed me about the notice posted by MS was about how quickly they reacted. Waiting several hours after a problem of this severity is reported and verified, and then patting yourself on the back for reacting quickly is not ethical behaviour.
Also, they were quoted on CNN (I think) that none of their users had complained, so they hoped that the effect was minimal. I know that I, for one, sent an email informing them of the problem, and urging them to take it down until it could be fixed.
My suggestion for MS? Come out and admit that they screwed up, and badly. A little honesty would go a long way.
---
"Go Metallica. Die RIAA." -- Linus Torvalds
Ok, so maybe the wording was a bit vague regarding the extent of the security breech, but Microsoft admitted they door was open. So I'm gonna demand a *Full Refund*. Maybe I should gather together with a group of like-minded folks and storm the offices in Redmond :)
But does anyone else?
Sure, the technically minded people in the world realize that this is PR, and that M$ is chock full o'holes. With macro viruses, Back Orifice, hotmail, the ping-o-death and a slew of other issues that are never quite 'resolved' in the technical sense, the computer professionals and an increasing number of knowledgeable users are more and more sying away from M$. The success of Linux is a testament to that.
But the vast majority of the computer users out there, the ones that think Microsoft is the only software company out there, the ones that subscribe to Microsoft Internet and download a new version of the Internet everyday, and fax by holding the paper before the monitor, and complain when their cup holder breaks... They're the ones who pay good money into M$ coffers, and fund the bloat-fest and PR campaign.
M$ made the PC accessible to virtually everyone, and now preys on the ignorance of the averabe user. What's needed is an organized effort at educating the mom-n-pop computer user. What's needed is a way to tell the truth, because M$ fails to do so.
-- What you do today will cost you a day of your life.
Well, I don't know about year of birth, but you can come to terms with gender, and you can update your sex based on it...
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
The German magazine was "Focus" and this was the quote:
"New versions [of programs] are not offered to cure faults. I have never heard of a less relevant reason to bring a new version on the market."
Pretty much sums up all their bug handling...
-mparcens
~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript Error: http://www.windows2000test.com/default.htm, line 91:
It's funny that no one in the media seems to have figured out that hotmail runs on non-MS platforms (Sun?). Usually the software and hardware vendors are quickly blamed (eg. the ebay outages).
It's a neat little situation MS is in. On one hand, it's a perfect situation to poke at a competitor, on the other hand, MS sure doesn't want to admit too openly that it's not using its back office products.
I was astonished. Sound, sensible comments from a news service??
The other thing they said was that lawyers were looking into this, to see if Microsoft is in any way liable. After all, the problem was caused by negligence on their part, not some obscure bug or a skilled, daring cracker raid involving top security experts. Apparently, the TOS states that Microsoft is never at fault for anything that happens, but the reporter seemed to imply that not everyone shares that view.
Assuming this isn't sensationalism by CNN, this story could get even more interesting, and possibly spell doom to the disclaimers liberally splashed over all software and online services.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
OK, so everything's all patched up now, right?
That's fine. Until, that is, the next time they implement some sort of new feature that does not play well with the existing aspects of the code, and something like this happens again.
There are trade-offs between security and convenience, and there are legitimate gray areas. For instance, I use cookies to stay logged in to
All that said, however, there is NO excuse for the Hotmail situation.
"Somebody exploded a letter-bomb today
Check out James Gleick's classic essay:
http://www.around.com/microspeak.html
D
----
Wow, really? Yesterday we could "take advantage of" Hotmail with a very simple action. Now it requires no action whatsoever? I'm impressed; these Microsoft guys make themselves easier to take advantage of every day.
It would be absurd to suggest MS should say "we suck." In fact, that would be just as bad because it would still obscure (or at least not reveal) the facts. At the very least, they should have a link from the PR letter to a technical description of the problem and exactly what steps they took to fix it.
If consumers don't hold corporations to standards of disclosure, corporations will continue to evade and obscure responsibility.
One of the worst things you can do, in my experience, is come out and say "Wow. Our system got totally borked, because we didn't think things all the way through and anyone who wanted could read your private mail. Oh, we fixed it, by the by." Sure, you can't deny that there was a problem, but you also can't run around proclaiming to the world that the sky is falling, or you loose any shred of confidence that anyone might have had in you.
This was a fairly serious security breech caused by the implementation of a system before it had been throughougly tested or thought-through. That is inexcusable. And you can't just fix it and then never mention a word about it -- that undermines your credibility as much as a 'chicken little' reaction. Given the circumstances, I think it was a very appropriate response. They admitted the problem, they admitted responsibilty for the problem, and they issued assurances that the problem is fixed, and gave the usual drivel about being comitted to privacy and all that.
As fluffy and irrelevant as all that may sound, when it comes to marketing/crisis handling, I think it was about as responsible as you can get. It certainly beats the usual 'feature-not-a-bug' argument, or the 'gee, it's because our Cisco routers got upgraded wrongly', or 'problem? what problem?'.
is that the more MS steps into the real networked world, the more we see this kind of screw-up. It all goes back to the mind-set at MS - it's fundamentaly a single-user mentality. This is not a hard concept for people to grasp - even for journalists and average users, who after all use MS products for the most part as single users.
I sure wish someone would point this out in a big way.
"Well, MS products are not secure in the real world 'cause they, MS, don't really understand mulituser, networked topology."
Simple.
"shop smart:shop s-mart" ash