The Significance of the Hotmail Crack

Slothrup writes "Telepolis has an interesting piece linking the problems at Hotmail with the Sun purchase of Star Division. An excerpt: 'What this the Hotmail hack shows is that the Internet's self-regulation doesn't work anymore because it relies on the assumption of more or less equal participants. This is clearly no longer the case.' " Interesting piece. Definitely worth a read.

How can you call it a crack...

[Griim]

...when you can walk in the virtual front door?

Re:blah

Actually it was found a week or so before and had been floating around the net during that time. It was sunday that the bug was announced.

Re:you get what you pay for.. sometimes.

[arivanov]

It does not really matter. The fact that you do not pay does not mean that the service quality should have no guarantee. For example X sets up a free internet service. Some of the revenue from advertisements is reinvested in service guarantees. It is a question of overall policy. M$ is not the imaginary X in the lines above. Read their licence agreement on "payed" services and see for yourself. There is no guarantee whatsoever even if you pay. In other words it is a question of "who offers the service".

Re:It matters not who, but how fast..

[griffjon]

A bug is an undocumented feature.
Similarly,
A feature is an undocumented bug.

Re:Here's a brand new idea!

Shop somewhere else!! Put your buying dollar to the test and don't purchase products or services from a vendor that has repeatedly shown ill regard to customer's wishes. This bullshit of suing the company and continuing your patronage to them is pointless! Companies that do poor jobs will run themselves out business if you just stop supporting them.

Re:Exactly!

Knowing even a little about the equipment you use can save you headaches and hundreds, even thousands of dollars. It doesn't make you a nerd or a loser, it's just plain common sense. I like to tinker with everything I own, just to see how it works and to know what might be wrong when it doesn't. I've literally saved myself thousands of dollars.

Hotmail crack Editorial cartoon!

[Stavr0]

Yesterday in the Ottawa Citizen newspaper
See it here
---

Entire blame on M$?

Whoa, hold up. Is it me or did this hole (not crack) exist before M$ took HMail over? Its probably been around since day one, yet since its now an M$ site its obviously lame on the security side. I mean, hey, M$ hasn't actually managed to port the thing to NT yet, so we can't lay blame on that. Its a programming oversight as opposed to a open hole in the OS layer.

I'm tired of this "easy as driving a car" thing.

When are people going to give up on these comparisons with automobiles !

Nations spend billions and billions of dollars keeping up highway infrastructures that have been in progress over a hundred years or so (taking about the first world here). Consumers spend billions and billions of dollars on additional fees to drive on the highways and keep then in shape with taxes and tolls.

Consumers spend billions and billions of dollars purchasing vehicles, adding components, doing maintenance, and getting training and licenses.

This whole thing so far kills loads of people each year, destroys the atmosphere and covers valuable land with asphalt.

So lets really compare using the net to a car shall we:

Buy a car for say 2000 dollars (or nothing if comparing to free e-mail) from a company that's only been in business for a few months and builds the things in someone's basement with no standards on how to put them together. Your car may be completely different from your neighbours. No training, no license required, pay nothing but a few cents a day for electricity to drive it.

But there are no roads, no stop signs, no traffic lights, no police, no parking lots, no bridges, no rules, no seat belts.

Worse yet, the car that you have isn't compatible with many of the roads which people have created. You must upgrade your car by hand, if something goes wrong then your car may be unusable.

You can get parts for free, but if they don't work, too bad. Some parts cause other parts to break so you have to track the compability of every part that you have and watch for fixes to the parts that you have.

So now is it really so easy to drive a car if it was a computer?

I could go on and on. Anyone care to make some direct comparisons that will make this car analogy go away.

Re:Access From ANYWHERE

[griffjon]

Hotmail is an ideal service! It allows me to send guaranteed spam (you must enter your e-mail to use our service, and we promise to sell it to other people!) So, I enter my hotmail account in the rare case that I have to click on some URL to get into said service from the mail, etc.

Also, it keeps other people from grabbing my nickname and masquerading as me from a hotmail account...

minimal knowledge

[The+Queen]

I agree, that one line bothered me, too.
The thing that gets me is, ma and pa computer user routinely f*ck up their machine, refuse to pay for needed upgrades, and call their ISP to help them install a game for their kids. I have been fielding tech support calls (in addition to my other duties) for about a year, and it burns my buns! These people don't know and they don't want to learn. "I'm computer illiterate." Well then turn the damn thing off and donate it to a school or something!
Whew. Sorry for that, it's been a hellofa week. :)

The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk

Flee or Flea?

So does the author know the difference between a flea and to flee? Poor writing skills do not contribute to this article.

Mechanics/Nerds

You don't have to become a Mechanic to drive a car, no.

You do have to know some of the basic concepts of how the thing works, maintenance schedules, how to change a flat, etc. There is a basic set of working knowledge without which your car will have a much shorter lifespan or will leave you trapped out in the middle of no-where when it breaks down because you didn't keep the fluid levels where they should be.

Same thing goes for computers. There are some basic things you have to know before you sit down and use a computer. Since Microsoft has made it easy for computer illiterate people to use computers, most people don't acquire those skills. Unfortunately the internet will require a certain level of literacy from you or bad things will happen to you.

Why Hotmail will lose few, if any, users

[Zico]

One the one hand, you have people like me who use Hotmail as a spam catcher. (I do actually skim for actual messages to me once a week or so, in case someone's trying to reach me through it.) If someone got into my account to read all my spam, I couldn't really care less.

On the other hand, for those that actually use it as a major provider for their email, they've got to weigh the possibility of a breach happening to Hotmail in the future (and not happening to the other web email services) against the hassle of getting all their acquaintances to use their new email address. As someone who still gets email from an account I closed over two years ago (it still gets forwarded to me thanks to an understanding ISP), I can testify that it's a pain. You also have to consider that those people who do use web email as a major provider are rarely the type to come into contact with hacker types -- they're more the ma and pa type of user -- and were very unlikely to be targeted.

Cheers,
ZicoKnows@hotmail.com

Re:Why Hotmail will lose few, if any, users

The biggest reason they won't lose any users is that you can't cancel your Hotmail account. Can't even empty your frigging trashcan.

I switched to usa.net last time Hotmail had security issues, and it hasn't let me down yet. My Hotmail account, on the other hand, has been endangered at least twice. Both times, I swore and wished I could just delete my account.

I got stuck with some private e-mails from friends sitting in the trash bin of an account I couldn't rightfully terminate. Talk about a sitting duck when the whole world can read your e-mail.

Re:Why Hotmail will lose few, if any, users

Accounts are shut down if they are 120 days inactive. If you want to get rid of your account, just don't access it.

Why not switch.

[PotatoNO]

Like any product or service, the informed consumer doesn't get ripped off. If you had stayed abreast of the news you heard about the hotmail crack and now have your e-mail at yahoo.

And like with any product or service, there will be a portion of the population that won't care that they're getting ripped off.

If security was a concern, storing mail at hotmail is an obvious no-no, even for a novice user (who chances-are not have much concern for security).

What is important is that the average user hear about such poor service, and switch.

nerds & cars?

[nion]

We shouldn't be forced to become nerds just to use computers, as much as we do not have to become mechanics to drive cars. Interesting, however what if you've become both? I work on my computer(s) and work on my car(s). Probably not atypical but if you like that sort of thing... The only problem I have is that after working on the car my hands are in no condition to work on the computer.

Re:nerds & cars?

[nion]

My reason for learning both is simply to avoid getting screwed every time one of them needs serviced.
You hit the nail on the head there. Exactly why I do mine own car work. :) Of course, spending a day under the hood of the computer is much less messy than under the hood of the car. ;)

Re:nerds & cars?

[Sly+Mongoose]

"We shouldn't be forced to become nerds just to use computers, as much as we do not have to become mechanics to drive cars."

This may be a true statement; we don't want to require people to become mechanics to drive cars. But we do want them to become motorists and to learn how to drive, pass a test on their knowledge of the rules of the road and demonstrate an ability to control the vehicle.

We certainly don't expect anyone who can barely find the ignition switch after a lengthy search, and only figures out which way to turn it on their second attempt, to run their computer without experiencing the exhileration of disaster on a frequent basis.

Re:nerds & cars?

[finkployd]

Odd, I also enjoy working on both cars and computers. I wonder if this is common. My reason for learning both is simply to avoid getting screwed every time one of them needs serviced :) Finkployd

Re:Sun is living in the past and MS is -- well --

[cyanoacrylate]

Sun is a HARDWARE and SUPPORT company. True, they sell Solaris, at a loss. True, they sell lots of products under the Solstice banner, but usually they're just 3rd party products with Sun's Stamp of Approval. Java is merely a part of the strategy to continue to sell big servers - Java applets (whats' that? StarPortal did you say???) need to be served, and, in the size and scope that Sun is thinking in, (40 million users? (there's a convenient number...)) by the very servers they produce.

Honestly... Weather the software is open source or not won't matter to Sun. Its just that RIGHT NOW the available commercial software is better for the markets they look at (Koffice will be _great_ but its not there yet, and its not written in Java)

And the server-centric model is the right one... At least from a management perspective.

--
We are Microsoft. You will be assimilated. Resistance is Futile.

Re:I'm dumpimg my Hotmail accounts

[Giles+Constant]

have fun! it's impossible to have your hotmail account removed :-) The only way to get rid of it is to have it time out, but then how would you stop people mailing it? The moment you go back to read the mail you have another 6 months to wait. One word - "microsoft". Anyone thought of writing a "hotpopper" program so we can download mail from hotmail without having to read the stupid adverts?

Re:It matters not who, but how fast..

> I think you were refering
> to the first break of a 128-bit RSA key...

128 bit = 39 digits = trivial

The rsa129-project was about a 129 _digit_ key.

"Hotpopper", (Ad free auto hotmail checker

Check fm for Hotmole... seem to remember it does what you're thinking of... Elvii, a temp AC cause my dns hasn't updated to the new servers and the old cookie seems to only go to the actually hostname, not the ip... and it's too late to worry about it at this hour.

Re:"Hotpopper", (Ad free auto hotmail checker

Are you border-line retarded? I ask this because it seems that you can't form a coherent thought.

Screw Sun

[Zico]

I'll keep my data on my own box, and not use a thin client to upload everything to their servers, thank you very much. Bugs wouldn't be my biggest worry -- it's the idea that my data could be held hostage by some sysadmin honked off because I nailed his wife or riled up about some joke I made about Scott McNealy's gigantic fucking teeth. Forget that mess.

Cheers,
ZicoKnows@hotmail.com

Re:Screw Sun

[cyanoacrylate]

Dude, your HotMail account says it ALL.

And I didn't say thin-clients were right for EVERYONE...

But for the a-technical masses, they're idea.

--
We are Microsoft. You will be Assimilated. Resistance is Futile.

Re:Screw Sun

No No.. all your files are fine.. yep, both of them, your .Xdefaults and your .cshrc .. ARGHHHHHHH!!!! bang! BOFH rides again.

Re:Not self-regulation; market regulation

[dode]

While I agree with your point I think you have missed the trend to integrate Hotmail into MS Outlook this would discourage new users to explore alternatives much as the packaging of Explorer has with Windows.
However the most probable reason that Hotmail is so popular is that it isn't a bad service. A lot of the webmail alternatives are probably no more secure or reliable.

Re:trusting MS?

[meridian]

nearly any system is likely to be able to be compromised. with this in mind would the only answer be to not trust any system and always use encryption and backup data in more than 1 place. i dont think the main problem with hotmail is its security but its potential lack of privacy which could come about in more forms than simply someone breaking into your email account.

Hotmail was NOT 'cracked'.

[blue_adept]

A hotmail programmer inadevertently commented out a line of code, that handled password authentication. Anyone could log in with any password. But nobody noticed because the login script was an OLD login script, that was (for some stupid reason) left on a production server.

Re:Wrong, wrong, wrong.

Good points, but you miss the main point of the author. He does not claim that centralized computing is technically better or worse, but that if computing becomes centralized, users cant look out for themselves any more. They must blindly trust the behemoth who maintains their data.

I think the article argues fairly convincingly for FDA style regulation of sites like hotmail and my.yahoo.com.

Re:Network Computing

If power was out for 4 days then what were your PC running on ? Bicycle generators.

Seriously though. If the power can back up and your servers came up with something broken then you're doing something wrong. I ran IBM boxes for years and never had any problem with JFS after power outages, in fact I laughed while the Netware guys rebuilt their servers.

There studies available.

Costs for support have been available for years from lots of places. I used to look them up every time the PC Support Dept. needed to hire 2 more people while I was running many servers by myself.

The study's all say the same thing. The cost of supporting a PC environment is huge because users are always breaking things and every desktop must be visited for repairs and upgrades.

you get what you pay for.. sometimes.

[quadra]

the article never mentions that as a hotmail user.. you never pay for support or even service. If you want greater control over your mail.. there is plenty of competition.. local ISPs.. large national and worldwide too. The key is that you have to pay something for it. Open source isn't the answer to everything. As far as I am concerned the only thing it has proved to do is breed innovation and stable, relatively bug-free applications. It doesn't however come with any guarantees.

Re:you get what you pay for.. sometimes.

[fishbowl]

I thought taxes were to find marijuana smokers and lock them up, while idly letting the roads become
part of the "crumbling infrastructure" so that more taxes can be raised.

Re:you get what you pay for.. sometimes.

We don't pay for roads.... Hmmmmmm You ain't old enough to pay taxes yet, are ya....

Re:you get what you pay for.. sometimes.

[kervina]

Yes, you do pay for roads. That is what TAXES are for.

Re:you get what you pay for.. sometimes.

[grndcontrol]

I pay with my valuable attention. If you don't think your attention is valuable then ask yourself why yahoo, hotmail, etc. are worth more than any retail chain of stores that actually sale you somtheing. People that sale "real stuff" need people to buy your time with "free" services.

Re:you get what you pay for.. sometimes.

[Suydam]

I disagree. the Hotmail tagline is "Get your free, private email at hotmail.com". This implies (IANAL but I think LEGALLY implies it).

Compare that to most "freeware" (beer/speech/sex) licenses that say something like "this software is distributed without warrantee or guarantee of any kind".

I would say that the biggest mistake made by HOtmail was claiming that they were secure and private for so long.

Re:you get what you pay for.. sometimes.

Do we have to pay for our roads?

of course we do. well maybe you don't if you're a student at www.dearbornschool.org, but if you own a car you pay excise tax, if you own a home you pay property tax, if you have a job you pay income tax.

Re:you get what you pay for.. sometimes.

[bgheen]

ok maybe this will clear some things up. Say you are on a cross country trip and your car gets into an accident alog the way. The police department comes out to save you. It isn't the police department that your local taxes pay for but they still help you right? its called a Public Good and ROAD SERVICE is a public good. Maybe i'm to young to forget facts..yeah your right

Re:you get what you pay for.. sometimes.

If you get into an accident you're more than likely going to get a citation, which you must pay (plus extra court fees and what have you). For speeding tickets (atleast in PA), you must also pay an extra $5 for every mile-an-hour over for an "emergency services" fee, weither the cops or an ambulance came or not.. but if the cops do come, it's because they are payed to do so, by local taxes (even if you aren't local you are in their district). The *FEDERAL* goverment payes *STATE* troopers to monitor activities on federally owned roads (which is comming from your tax money), just like the state may pay local cops to monitor state owned roads. Also, every time you fill your gas tank (well in most states), you are paying for your roads. Gasoline is taxed to help cover the costs of building, maintaining, and repairs roads. Maybe you should gather a little more information before you go running at the mouth on subjects you appearently know little about.

Re:you get what you pay for.. sometimes.

[bgheen]

my mistake. Nice job of proving me wrong...

-brandon

Re:you get what you pay for.. sometimes.

[bgheen]

Do we have to pay for our roads? No...and they seem to work just fine. Except in Michigan... -brandon

Re:you get what you pay for.. sometimes.

*Absolutely* we pay for our roads. Mabye you don't, if you're not old enough to work yet, which seems to be the case if you DON'T know where the money to build and maintain the roads comes from.

I'm dumpimg my Hotmail accounts

[Oscarfish]

After months of getting worse and worse, it's finally hit rock-bottom. Adding Microsoft to a situation seems to do that for a lot of things...

Re:I'm dumpimg my Hotmail accounts

If you are using Windows and IE5 then Outlook Express can read and send mail from hotmail accounts. The MSN line ad is not even placed at the bottom of your outgoing mails.

Rally point

With all the comments on this topic this person is the only one who hit the nail on the head.

Why isn't everyone shouting "The problem was Microsoft Passport because Microsoft makes bad software !"

We really must rally around this issue. Make sure that the media get the message. It's not Hotmail, its more bad ideas from Micros~1.

Not self-regulation; market regulation

[lordsutch]

The author misses the point in that we're not talking about self-regulation; Microsoft instead faces market regulation. MS has competitors in the freemail business, and will lose customers from Hotmail because of its security issues.

If MS had a natural monopoly in freemail (like if Hotmail had a patent on the concept), I'd agree that self-regulation is insufficient. But in this case, the loss of customers and ad revenue for Hotmail, not to mention loss of MS credibility, will hurt them more than a few lawsuits from disgruntled parties.

Re:Not self-regulation; market regulation

Hotmail wasn't a bad service, now it forced me to get junkbuster. I do believe that no smart business man should use hotmail-you get what you pay for, isn't that the reason they choose windowz?

btw whatever you use, don't use mail.com, they are a bunch of bums. I can't receive testing mail I sent to myself, this simply corss the line.

The problem with yahoo is that it links to my yahoo, so you don't want to log in log out. Anyone has a fast freemail for mailing list?

Re:Not self-regulation; market regulation

He made some specific points about microsoft but it seemed overall the scope was much larger. People have all these high powered workstations and what do they do? Spend most of their time connecting to huge remote servers on relativly low bandwidth connections. It's a nearly perfect irony. These centralized locations(not just microsoft) have tremendous power, having access to so much information but have to accountability as to the use of that power. You sign your soul away when you click on "agree". Market forces are irrelevant because there is no accountability *anywhere*. But the accountability is no problem. Because if the information is encrypted, wanna be pilferers will find nothing but a lump of near-random 1's and 0's. Encryption is an ideal solution for this problem. All data on the internet should be encrypted. Just seems sorta silly that all these packets are flying around, unprotected for anyone to grab. It reminds me of the old days when an entire town shared the same phone line and could listen on anyone's phone calls. The internet needs to be blind and deaf at all places in between destinations, it's the only way.

Re:Not self-regulation; market regulation

I've been using operamail.com, from the people who make the Opera browser. It works pretty well, has the best interface of any webemail I've seen (customizable too), and it's very, very low on ads.

Getting personal info from Hotmail.

The idea of Hotmail getting hacked is redundant. Why do I want security in my email? To keep personal information about me from falling into the wrong hands. But Microsoft itself already has that information if I use Hotmail, and I can't think what hands could be wronger than that. Don't keep anything private in a Hotmail account, but not because it'll get hacked. Bill Gates hacked the system when he bought it, yes?

Translated:Hotmail breach == sex scandal in Sweden

[Stavr0]

Rough translation of Expressen article ...

Hotmail Scandal - Sexbuyer identity revealed?

Someone has hacked an email account that belongs to two young prostitute girls and sent out their correspondance on Internet. There is revealed the name and telephone number of many of their clients. "I want only to know if they were prostitutes for real", says a medium director whose name appears on the correspondence.

On Monday the Express revealed that anyone could read other's email at Microsoft's email without entering a password. After that the Microsoft staff took the whole ten hours to fix the problem before it could work safely again. During this time, someone accessed the email account of two prostitute girls, then posted the messages on an anonymous homepage on an american server where who that everyone could read them.

Intimate details
On the homepage is revealed many intimate details about those who wrote the messages. "I am a pleasant and kind person, married, who needs more then what I get at home", writes a man whose name and telephone number appears on the homepage. Many of the persons who wrote to the girls explained that they are businessman who sometimes seek escorts in Stockholm and want to have contacts. The person behind the homepage request readers write email and call the men. A director in a well known medium company appears on homepage. He has written email to the girls and wrote "I am seriously interested in french lessons with you on a continuing basis. Can you tell more about your lessons, it would be nice if you also could attach a picture with the course plan". When the Express contacted him he knew already that his name and phone number was on the webpage "It is horrible and I understand that it is easy to ruin one's reputation" he said. He maintains that he did not buy sexual services and he only was curious to find out if they really were prostitutes.

• Anonymous homepage
• 
  The homepage where the names appearede is on an american webserver there who everyone can log on tanonymously for free. Therefore it is impossible to find out who is behind the page with the sensitive information. "What has happened with Hotmail is regrettable, but it is a whole other thing to take someone else's information and publish it on a website", says Lars Backhans, Microsoft's highest official for Hotmail in the Nordic Countries. "This here is abominable"
  ---

trusting MS?

[Chaostrophy]

No, what this shows is that Microsoft continues to not care about security. Having your data on a profesesionally managed and backed up machine, that you pay for (so they feel some real enforceable obligation to you) is probably a good thing. Just don't trust MS to do it.

Re:Wha?

[fishbowl]

"Okay. Sure, it's easier and cheaper to store everybody's money in a few large organisations, let's call them
banks, but that same concentration, while it may mean that one single security flaw can expose all that
money to theft, I wouldn't want to suggest that we all therefore stuff our mattresses with banknotes and
sleep with a pistol under our pillows."


There are people who've been burned and lost enough to banks that this is not joke, not sarcasm, and take this comment seriously.

Cryptographic tools

Free, easy to use, public domain cryptographic tools are a necessity. And with a few targeted public research grants they could become a reality rather sooner than later.

Funny, GNU PGP must be a figment of my imagination then...

Re:Cryptographic tools

"EASY TO USE" Retard.

I'm not worried....

Yes, I use Hotmail because it's p**s easy to use. Why not? Surely Micros~1 can't suck at EVERYTHING they do?!!! *grin* It all comes down to probabilities... if an exploit is discovered and remains secret... the chances of the cracker knowing about my account and/or wanting to target me are remote. If the exploit becomes widely known enough for me to be concerned, the Hotmail guys will hear about it and fix the problem. Hell, I've more chance of being hit by a bus, or catching some nasty disease. Get a sense of proportion... it makes a HUGE difference to your life!

Re:The Shift Is Technology Based.

It's not much help with a Super Cray as a server, when you're sitting with a 33.6 modem, is it ?

How the hell did this end up here?

I mean it. Apart from stating that crypto is a solution, everything else is crap.
I am a consultant for some big companies, and work only on GNU/Linux and open source software. They are still using winblows machines as workstations.
Guess what happens? The 'empowered user' is lost. 'Luser' as BOFT would put it.
My mom uses a computer. I set it up. I fix it when Win blows. She does e-mail OK, uses a word processor OK, but there's no way she'll ever configure the darn thing!
Someone ever tried to distribute a news windows application? To 700 workstations? A hostile application, putting DLLs averywhere, changing the registry, writing autogenerated config files? Like most Windows apps? I knows what happens, I can see the guys wearing thiner...

Centralized computing would alleviate these problems. No more fixing bugs in hundreds of apps. No more 'erased config'. Centralized administration.
Oh, yeah, the power user will want his own full-blown computer. No problem! Just don't complain when it breaks, and fix it yourself. The average user just wants something that woks. Without fiddleing with it for hours or days.
Trust me. Get out in the real world (TM) and have a look. I've been there.

Re:How the hell did this end up here?

[jflynn]

"Apart from stating that crypto is a solution, everything else is crap."

I was wondering about that. Surely to be practical encryption would have to be completely transparent for HotMail use. If a CGI hole lets you into someone's account *as them*, the automatic decryption would continue to work just fine -- wouldn't it?

Jim

Re:How the hell did this end up here?

How can you mention BOFH and then say centralization is ok?!@#! I think I see the reason why.. you ARE BOFH! Get the hell out of here simon.

It is just an indication

[vitus]

You are right, mail is inherently insecure, unless encrypted with good cryptographic software, or unless you can trust every machine SMTP IP packets go through.

But it is not mail author concerned with. What happens when Sun would release StarPortal? Your spreadsheets (say financial info) and word-processing documents would be stored on the network servers and they would be vulnerable to the same attack as Hotmail.

If hotmail crack didn't exist and this document wasn't written, Microsoft should invent both theirselves (or did they?), just to show people that Sun offering (which is cheaper and more featureful) is wrong way to go, and user should still pay MS and hardware manufacters for more bloated software and more heavy notebooks to carry personal data around.

Re:It is just an indication

Yep.. and where is the wide spread crypto system you speak of.. people are too stupid to use it, so we need to make it transparent.. but then we'd be helping the stupid people and the stupid people are the ones who are destroying the net. Well, actually business is destroying the net and businesses are on the net because stupid people are on the net with lots of money to throw away.

Don't tempt fate

[The+Big+D]

>like if Hotmail had a patent on the concept

Jesus, don't go giving them ideas!

Re:No disempowerment for the technically aware

[PigleT]

Hear hear!

I've only bothered reading the line in the extract about the hack disproving self-regulation, and as far as I'm concerned, it goes to prove the point: we're not ALL braindead morons, and we shouldn't have to pander to those who are.
(The rest of the article is going to remain unread in the light of that extract alone.)

Agree entirely about risk assessment, etc...

Anyone got an uzi for these journalists? :)

~Tim
--

Re:One line of code

That's true, but at least nobody will be reading your mail.

Re:blah

[Hiro_Protagonist]

okay so this person has access to 40 million accounts or whatever..


Not one person, all people. It took me about 2 minutes from I heard about the hack till I had the URL that let me get into anybody's email. That "Hotmail was hacked" is just a not correct, that "a method was uncovered that let anyone get into any user account at Hotmail" is a more precise description. Get the facts straight.


I could for example have used this opportunity to log onto admin@hotmail.com (yes, it was also open), sendt a mail requesting some personal information from the users, and I could have waited there about 13 hours to collect the answers because MS didn't shut the server down and gotten home, free, and away with loads of information I should not have had. And that is just one thing you could have done, there is plenty of others.


"The future is already here, it's just not evenly distributed yet."
- William Gibson

"The future is already here,
it's just not evenly distributed yet"

Re:oh, users pay

[fishbowl]

" phil
Kinda please with himself for worming the Nazi comparison in... :) "

Except that you killed the thread by godwin's law.
Why haven't you been moderated down to -5 or so?

Re:the net "for everyone else"

[redfoxtail]

[0] read it again. I'm talking about service providers (as in Hotmail, E-bay, Amazon, etc), not ISPs

It's pretty easy for someone to misunderstand you there, considering what ISP stands for.

What complete utter stupidity

[sheldon]

This story lacks much merit.

Self regulation does work, unless you as an individual do not let it work for you.

There are so many companies out there offering the same exact service as hotmail.com that there is nothing preventing you from switching. Hell, I even got a ad for a free email account from American Express.

This is what is so utterly stupid about some of these internet evaluations and mergers. For example geocities. What is it about geocities that makes them worth $5 trillion? Nothing, the technology and infrastructure can be put together for a few million in under a year.

And has been shown over and over again, people do suddenly switch from using one web site to another, from one fad to another.

The only thing keeping people at hotmail is their own stupidity. It has nothing to do with Microsoft being huge.

Biased argument...

So you're comparing a somewhat-badly-designed GUI system coupled with a bad telephone support person, against a good text-based interface coupled with a good support person.

I can also imagine this scenario for a text-based program:

Press F1. No, not F and 1, F1, it's on the upper-left hand corner. No, not the corner of the screen, of your keyboard. No, not the bottom group of keys, there should be a separate row of keys above that group, upper-left hand corner of that row. OK, now press Enter. No, don't press E, N, T, E, R...

:-]

Re:Biased argument...

[scrytch]

That's why you don't say "Press F1" you say "hit the F1 key" (no most users will not strike the key with a hammer when you say "hit"). If this boggles them, you say, "should be right at the top". Then it's "hit the return key" if they're on a mac or most unix boxen, or "hit the enter key" if they're on a PC. Any good tech will know whether it's called Enter or Return to avoid lots of confusion.

I'm just genuinely glad I never worked for external customer support, so users had to at least be able to find their ass with a map and compass in order to work there. Still, I've asked people what kind of computer they're running, and they say "NEC Multisync" (pronouncing NEC "neck" of course).

Re:Biased argument...

[scrytch]

er, 'up at the top'. one tries to avoid using words like "right at". otherwise people will look for it at the top right. i'm so glad the clue level is higher here so i don't have to remember these things.

Re:blah

Not one person, all people...

So what you're saying is that this loophole was different because it was widely publicized.

There've been holes of various sizes in Hotmail since the beginning of its existence. Believe it or not, it's actually gotten much better since MS took over, although I don't think MS had much to do with it, it's just a matter of time and maturing software.

The difference now is that Hotmail is so popular that the smallest problem with it gets blown out of proportion, all in the name of the Media trying to make more money through sensationalism.

Hmm .... an interesting thought.

[Thrakman]

And one with which I partially agree.

Free services .... especially when run
by overly large companies like Micro$oft
do not NEED to worry about the well being
of their users.

I mean, if M$ killed hotmail right now, what
would happen? Or if they limited it JUST to the
MSN users ... who pay for their usage I might
add ....

Some million or so users would be out of a cheap
but effective free webbased email.

And I'm sure Gates would just be shaking in his
booties about that one .... not.

.....

Open Source has nothing to do with this issue
as I see it .... it is more of the issue that M$
did not 'come to the rescue' because they could
AFFORD to wait ...

Everyone is complaining that their security was
comprimised. So. Did you leave hotmail for
another provider?

'nuff said.

Re:It matters not who, but how fast..

By comparison, how long did Hotmail even exist before they rolled out this "feature", what, two years tops?

You're kidding me right? Hotmail had tons of "features" since day 1. It has less and less "features" as time goes by.

Ditch Hotmail? No way! I'll stay with Hotmail, because now it is so popular that "features" will be removed asap. I ain't going to change for some obscure new free emailer with tons of "features" that are not going to get fixed anytime soon because the provider doesn't have the resources nor the incentive (media pressure).

Re:Wrong, wrong, wrong.

[Chandon+Seldon]

More regulation is bad - If "e-mail sites like hotmail" were disallowed from disclaiming responsibility for their *free* service, then that aso means that if you wanted to offer a similar free service--- you'd be responsible if it screwed up. They're charging $0, the service is offered "as is, with no warranty", what's the problem?

People shouldn't sign away their rights and then complain when they don't have them any more. Before you press "Agree", read what you're agreeing to, and only press "Agree" if you agree!

Society vs. Personal (Re:blah)

There's no significance at all ... ooOoh he can get into your MAIL! what will he find? Credit card numbers and super secret passwords?!!? probably not.

I think you're missing a point. Yes, the privacy of e-mail (or postal mail, for that matter) is trivial on the level of a society. How much money I spent on my power bill or who I call long-distance is not of general interest. But, the fact that I spend $300 per month on power (14 computers, 2 routers, power to cool it all, etc.) would be something of great interest to my land-lord. I might even find myself kicked-out of an apartment. There's two levels here, and you're not seeing the problem from the level of someone who had their privacy invaded. How do you think the Swedish business manager, who was exposed as contacting a prostitute, feels right now?

the only information I ever found was the dirt on a few girls

And you said, this problem was of "no significance." It could have been of significance to them. (not a flame and not directed at the poster) Are you a cold, impersonal geek? I was at one time. I would have taken your side of the argument, but after getting married and having kids, I tend to see things more often from the point of view of others. I think this is the crux to how seriously we take this security problem.

Re:oh, users pay

[zantispam]

godwin's law?

Please enlighten...

Driving Cars and Using Computers

The part that caught my eye in this article was the authors comment that we shouldnt have to become nerds to use computers just as we dont have to become mechanices to drive cars. Basically true, but the average computer is a LOT more complex than the average car. You dont expect a person to drive without getting some sort of training on how a car actaully works. Yet people sit down on computers every day with little or no training and wonder why things go wrong. I've always joked in work that our users should have to pass a basic test before sitting at one of our £3000 machines. It reminds me of the old joke about cars crashing as much as computers etc. The problem is the more complex a system the more things that can go wrong. Most car owners can change a tire if it blows. I wonder how many of our users could do something as basic as reinstall NT?.

Gnubie_ who forgets his password (gnubie_@linux-help.org)

Re:Whiners

[Hobbex]

>If you use it for serious mail, you're an idiot. Which is of course what most of us have been saying for years, but seeing as no one listened until now, I do think all the noise is justified. The point of the discussion is suposed to be something along the lines of: "If Hotmail stinks and can't be used for serious work, will all other Internet applications stink as well?"

-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Why should you trust free email services?

[Merlin.]

I never used Hotmail because i didnt like the thought of Bill Gates running through my email (not like he could find the time though).

People should use pop3 with pgp installed. Besides who likes to by owned by Microsoft anyway.

When people subscribe to free email the service provider isnt obligated to do anything. He could sell your email address to some advertiser although he says he wont (who's gonna know anyway?).

I belive free email services are a problem on the Internet and the source of many spam emails people receive.

Think about it

Termination of Hotmail Account

Taken from the Hotmail Terms of Use:

9. TERMINATION
..snip..
If you wish to terminate your account, your only recourse is to discontinue the use of the Service.

The way I read this is that in order to terminate your account (and there YOUR libility) you have to not use the account for 90 days.

My question would be how is this possible when security slack enough to allow anyone to log it to
you account?

I wonder how many of the 40 Millon have stopped, or now intend to stop, using their homail accounts? That might tell M$ something.

Simon Wood.

guess this makes *nix look better

[josepha48]

I guess this makes having a Linux PPC system at home more attractive these days. We all know that windows is prone to cracking and this is just more proof that they know nothing at all about security. *nix on the other hand has been handline security a little better. Don't get me wrong, any system can be cracked, but it seems like a trend to crack Microsoft systems these days. we are always hearing about there security problmes, and they seem to have so many. The wolrd is just not ready for network pc's. Maybe in a LAN yes, but not in a home, where everythign is on the server. Hell I am debating weather or not to write my own encryption program, and then send the keys to people I want to decrypt the mail.

Re:guess this makes *nix look better

[josepha48]

and if they knew anything about security, they could configure FreeBSD to be secure, or they coudl be using OPNEBSD which has never been cracked supposedly, see the thread about OpenBSD a few days ago. Microsoft rtied the IIS/NT with Hotmail, and it coudl not scale to there demands. Thus *nix is better.

Re:guess this makes *nix look better

[JonK]

Hotmail is Apache on FreeBSD (see here for details). Microsoft just own the site: there's no NT and no IIS there at all. See the thread when this was first announced about a week ago for plenty more ignorant pro-*nix FUD.
--
Cheers

Jon

Access From ANYWHERE

[Priestess]

My flatmate started talking about this hotmail crack last night. Obviously I corrected him pointing out that it was merely a huge hole, no real cracking involved. Someone else in the room immediately started on about how she was going to get a hotmail accout soon and how exectly do you go about doing that?

WHAT?

Were you not listening to what we were talking about? Hotmail sucks, it's got a crap HTML interface that's slow and full of adverts and it's not secure and full of spam. What on earth would you want a Hotmail account for?

You get to choose your own username and you can access from anywhere, not just from college. It would have been useful when I was in America last month.

Um, yeah, or you could just get a proper pop/imap box from somewhere other than your school and learn how to access it from another computer. It's not hard.

Didn't work of course. She's still planning to get a hotmail account. Nothing I could say would convince her otherwise coz all her friends are using hotmail and they all think it's great coz you can access from ANYWHERE.

Bah. I'd sooner telnet to a pop3 port than face the nasty Hotmail interface.

Pre.......

Re:Access From ANYWHERE

[Zoloft]

Such a clueless one, who thinks hotmail is the *only* free-web-mail service, will not understand "telnet" and "pop3". Recommend an alternative free mail site. I recommend linuxstart.com. Simpler, less cluttered. *And* it's not owned by Microsoft (or any other publically traded corporation) How about that!!

Re:Access From ANYWHERE

[Dr.+Evil]

Um, yeah, or you could just get a proper pop/imap box from somewhere other than your school and learn how to access it from another computer. It's not hard.

Some cybercafes and kiosks make this a pain in the butt. Compared to running ssh java applets, Hotmail is just as secure (regarding snooping... ie. you still have to trust your home ISP admins if you're opening a SSH), arguably more stable, and a heck of a lot easier to setup.

I was with Hotmail before Microsoft bought them. Do you know what I do with the account? It's what I put into all those boxes out on the Internet which read "Enter your email address here: (Mandatory)". It's my big spamcatcher, I open it up once a week or so, and wipe out oodles of junk-email... with the odd interesting post from some company which I'm actually interested in.

I do have some personal email archived in that account... but it's nothing I wouldn't want the world to see. All very boring and normal. If anybody asks me about hotmail now though, I point them to other HTML mail providers, and I do tell them why... because Microsoft is too powerful.

Re:Access From ANYWHERE

[Greg+W.]

Um, yeah, or you could just get a proper pop/imap box from somewhere other than your school and learn how to access it from another computer. It's not hard.

Until you find yourself behind a firewall that only lets HTTP through. And you will, sooner or later.

(I haven't "signed up" for a Yahoo mailbox yet, but it's getting to the point where I might have to do that. Those of you who are still in school, or who work for an ISP, etc., might not be aware of how completely fucked-up broken many corporate computing environments are. At this one, for example, I can send mail from Microsoft Outlook to any domain outside the firewall, but I can't send mail to a Unix machine inside the firewall. And I can't run a POP-3 or IMAP client inside the firewall to connect to a server outside the firewall, because the firewall only lets HTTP (and FTP, sometimes) through. And the HTTP is censored -- some domains are blocked....)

Re:Wha?

Gee, before I "click" on "check for new mail" (actually, I don't, I fire up mutt), my mail is sitting on /var/spool/mail, on a file sitting not more than a metre from me, behind my firewall. You see, mail *is* delivered directly from your workstation to mine, because I'm running my own mail server.

self-regulation?

I think most of us are missing the point here. This article is trying to argue that self-regulation of the internet doesnt work. It failed, IMO..

How could a government regulate such things? If you look at the history, especially in america, the regulation will be SEVERLY skewed toward protecting corporate profits, so long as there's sufficient language for a consumer to hire a lawyer and spend MORE money to get a company to stop ripping them off. Plus, what about services from other countries? It's hard enough to do something to a company in another state.

Anyway, what are your thoughts on *that*? Regulation v. Self-regulation.

Not AC - can't login till DNS updates.
-reptilian

Re:self-regulation?

If 'self-regulation' didn't work, what exactly was it that should have been protected by some sort of self-regulation? Should Hotmail not exist? Users are free to use any email service they want. ISP's are free to create new ones.

Free Cryptography is already available

[aidan+skinner]

movement is doing a lot in this direction. Cryptography is on top of the list. Free, easy to use, public domain cryptographic tools are a necessity. And with a few targeted public research grants they could become a reality rather sooner than later. An other

The Gnu Privacy Guard already provides freely available, easy to use public key cryptography. It's extremely simple to integrate it as a filter in eg. Pine or your favourite mailer. Version 1.0 is due out RSN, and 0.9.11 was released today.

- Aidan

slashdot makes CNN.COM on this one

[jabber]

Here's a somewhat off-topic cnn blurb about the slashdot response to the hotmail crack.

It's quite a compliment when cnn gets it's news by reading slashdot. Tee-Hee!!

Re:the net "for everyone else"

[Kohath]

Same arguments apply the same way.

Since the Internet is a no-boundaries system, you'd be dumb to locate in a regulated area when you can offer the identical service in a less-regulated (read lower-cost) area.

(Of course, the regulators would respond that they'll just force people to locate in Texas to do business with Texans. Then you could arrest Texans who illicitly use out-of-state services. Tell me when this starts sounding like a good idea. )

Re:oh, users pay

[Repton]

Godwin's Law

HTH. HAND.

--
Repton.

Re:blah

"Smallest problem"? Isn't everyone overlooking the fact that MS actually caused the problem in the first place, by adding the misfeature of the start.cgi file so that users could check their Hotmail from the MSN Messenger client? MS _caused_ the problem because they clearly don't even care in the slightest about user security.

Microsoft Passport

I can't believe that no one have commented on MS new, nifty feature - that is Microsoft Passport. Using this you'll be able to login to all MS services (and they are trying to get others to join) with a single account and login, such as your hotmail account. Just think how much easier this will be for crackers. They'll only need to crack one service and they'll get access to all the services! Now that's what I call innovation. Great move MS, and just the sort of high quality we expect from your company! Keep it up Billy boy!

W S B

Re:Wrong, wrong, wrong.

[mindlace23]

And the point is that StarOffice can be run by anyone. Want to have your office suite with your files anywhere? Install it on your home pc.

Don't have the savvy to do that? Well, go to your friend bob- who has installed staroffice- and do it.

I would love to be able to access my info from 'a centralized location'. Unlike hotmail, with Sun, that 'centralized location' can be my home computer.

The same goes for email and almost any of the other free services out there. you can always pick your provider.

~mindlace

OK - So it talks about some things.

The article was very blah. Here's some more: 1. The network is the computer. Fine, but you are not going to take MY PC away. I look at it like the 'network centric' view is public transportation, or a library, and 'PC centric' is the car or the house. We have room for both, and niether is going away. 2. People who use any of the 'free' sites like hotmail don't get any 'rights'. That's why they're 'free' - as in free beer. Recent legislation UCITA that seems to be moving right along with big corporate dollars will only continue, and will expand the trend to include things we pay for. 3. Passing more laws (as the poster above me points out) will only skew things further in the corporate direction. We need to be sure that our abilities to write/use free software - as in free speech - are protected. This is where these corporations will eventually have to go to continue generating profits - and where the governments will let them go - because governments are bought and paid for.

Re:Wha?

[pilot]

Also, our friend the authordroid seems to be mistaking storing applications on a remote sever with storing data on a remote server. Is there really any problem with accessing an application via network that updates itself automagically and lets you save your data either on the server or locally?

Ummm....since the application is *running* off the server, your data will almost certainly be pushed back and forth between server and client. Therefore, its not quite as simple as saving locally or on the server (as you make it out to be). This means the server may peruse your documents for "keywords" and store a list on the server....and how would you ever find out about it?

no, too many security implications here.

Ajit

Re:the net "for everyone else"

I should note that, for commercial companies, lack of accountability is the primary strategic direction. As was noted in /. a few weeks ago, the UCC 2b law passed, allowing companies like m$ legal backing in disclaiming legal accountability for their products while requiring the users to pay for their bugs.

This changes.....nothing

[SecretAsianMan]

the Internet's self-regulation doesn't work anymore because it relies on the assumption of more or less equal participants. This is clearly no longer the case

Hel-_lo_; this wasn't the Turning Point Of The Internet. It was just a crack, many of which happen daily. The author is so naive.

You are thinking of hotmole

[greenfly]

There used to be a program called hotmole that did that very thing, but the webpage is gone now. I emailed Hugo Rabson, the developer of hotmole, and he told me that considering how often Microsoft changes hotmail's format, it was just too much to try to keep rewriting hotmole to fit every new change. It's too bad because it really came in handy, but then again I completely see his point, I'm sure Microsoft wouldn't blink twice before changing specs again just so hotmole or any program like it, would break.

Network Computing

[mhoskins]

Like most ppl, this guy completely misses the point about NCing. He seems to thing that NCing takes the "power" away from the user... But the power to do what? Work? I think not. Users mostly object to not being able to install thier own "screensavers" and "games" at work in an NC environ.
Its not about taking anything away from the users, its ALL about giving control back to the admin and management, after all their paying the bills.
The simple fact that with NC you never have to replace another HD, or GHOST a machine back to a working state.
If you need to upgrade your client software, you update the one and only version on the server and never have to touch each workstation.

People say "Well what if the server crashes?"... My simple answer to that is... What happens if the server crashes with PC's on the desktop? Do your users keep working? Do you really want them to?
If your users are storing company data on their local HDD's you have a whole host of other issues. Even in the PC world, if the server crashes, Users need to stop working. And quite simply, A properly tended Linux (yea) /Solaris (ick) server will not crash.

Enough rambling

Viva Xterminals!

-Matt (mhoskins)

----------------------------------------------
bash# lynx http://www.slashdot.org >>/dev/geek
Matt on IRC, Nick: Tuttle

Re:Network Computing

And quite simply, A properly tended Linux (yea) /Solaris (ick) server will not crash.

Not even on power failures ?

The last power out here, left 500+ people idling for 4 days while Sun and IBM tried to get the NIS backup working.

Oh yeah, centralized systems are great !
Back to the past.

Privacy and freedom

[beldon]

I've been hearing the rants against centralized software for a while. quite frankly, I don't think it'll ever be all software. The Open Source economic model, if it is successful, will always be superior in both strength and agility to any closed, tightly-held system. The argument of centralized vs. non-centralized applications is really just an extension of the Open-Source vs. Closed-Source debate. Micros~1 (and others) already have stood behind a proposal to allow a software vendor the right to remotely disable any and all applications that the software company "owns" for pretty much any reason (http://209.207.224.40/articles/99/06/01/1642234.s html). Imagine how easy it would be if the software in question were actually on a machine owned by the company. So we have, for the software/computer company, a complete centralization of its control of software. Fortunately (hopefully) I don't think market forces will allow this to happen. It's all very well (and understandable) for a corporation using these products to want centralized control of their employees software, etc. It's quite another matter for these same corporations to allow their software/computer vendors to turn off their machines or software at will-- effectively allowing them to be held hostage by their vendors. Also, I wonder how many end users will trust all of their most valuable applications to such a centralized system which could also hold their documents hostage. Perhaps many. But, at least, the popularity of Open Source among users as well as more nerdy types indiccates that it won't be a complete sell-out by society.

Making Educated Decisions

[Slothrup]

I agree that the article has flaws, but I think that people are missing some of the key interesting points, particularly in regard to the idea of "equal participants."

The average Internet user does not have the technical skills to evaluate things like the risk involved with various patterns of usage. Would you keep your daily schedule online, on some company's server? Many people do. There are other companies working on Internet-based storage. You store your files on their computer and then you don't have to worry about things like backups and disk space. They'll take care of that for you.

For people who don't understand the difference between disk capacity and RAM capacity, or between a local drive and a network drive, how can they be expected to understand all the ramifications of a scheme like this? The car analogy *is* a good analogy: we don't have to know how the motor works because there are a lot of laws and precedents that protect us from poorly-designed motors. (And I think the percentage of people who *can't* change a blown tire is surprisingly high.)

The average Slashdot reader is undoubtedly an order of magnitude more sophisticated about computers and the Net than the average Net user. (Don't congratulate yourself; it has nothing to do with intelligence and everything to do with what's important to you. Someone is not stupid just because the difference between RAM and a hard drive is not important to them.) It's easy to forget that the world is generally set up for them and not for "us". And it should be.

Unfair standard

Why should business and business practice on the net, be held to a higher standard than traditional ones ? I don't see anyone complaining that auto mechanics need to be regulated because they are not " more or less equal participants " The real assumption is by critics that think that all Net related functions are supposed to be magicly secure and free from error.

Re:Wrong, wrong, wrong.

[Greg+W.]

Good points, but I have one criticism:

20-year old dumb terminals that were hard to use.

OK, first off, I know that you're really referring to the programs which were running on the host to which those terminals were attached, not to the terminals themselves.

With that out of the way, I'd like to say that in my opinion, a good ASCII terminal program can be simpler and more efficient than an equivalent GUI program.

Have you ever tried to tell a clueless end user how to do something in Windows? It's tremendously complex, and pretty much impossible if you're on the other end of a voice-only phone connection. There are just so many variables in the GUI world, and so many points of failure or confusion, that it's insanity.

Now click on File. It's in the upper-left hand corner. No, not the corner of the screen -- the corner of the window. No, not the inner window -- the outer window. Now click on Printer Setup. OK, now select your printer from the list. No, it's at the top of the window. No, click on the little arrow....

On the other hand, with an ASCII terminal, assuming the software is any good, things become extremely easy. You can give clear, concise directions to the user; and users can actually write down procedure documents to tell each other how to do things.

Press P. Now press the down arrow until your printer appears in the window. Now press the Enter key.

And then there's that hideous Windows 95 Start button interface....

Weren't network apps discussed already?

[Anomie-ous+Cow-ard]

Get Ready for Rent-An-App, August 15.

Whole big discussion on the good and bad aspects of having your apps on a central server. From my point of view, the general concensus was that this is just a way for the corporations to make more money and to get more control over the averate user than they could get with normal apps.

And i still want to know what happens when the central server dies, or some construction people accidentally cut the 'net (phone, T1, whatever) lines, or the net is just really really slow with all these remote-running GUI apps, etc. No one can get any work done, because no software is local...

-----

privacy vs. centralized administration

obviously, not all network applications are intended for the internet. many (most?) of them are intended for intranets. in that case, there is one big advantage to having your applications running from the server - it is taken care of, regularly, by people whose job it is...
this means that the versions/security-patches/bug-fixes are allways (should be) up-to-date. it means there is someone in the organization you can turn to when something isn't working, and since he is getting payed for doing this, he has to get it fixed... on the other hand, if you are working on your own pc you are on your own with that...
I'd say the equivalent of server software bugs are client software bugs and viruses - how many people got screwed by mellisa? I'm sure a catastrophe like this is easier when your data is backed up, and getting everything working again is tended to by professional people, instead of you having to revive your crippled pc yourself...
we need to remember that if the subject is buggy-software, than no software is safe - be it server, client or whatever. this is the wrong parameter to be looking at. the equation we should be thinking of is privacy vs. centralized administration (there is a point about servers being inherently stronger than client pc's, but I'm assuming, for the moment, that people can usually get the processing power they want on a pc nowdays). to get your privacy you just have to do more by yourself. in many cases (in your work environment), the subject of privacy isn't so critical that people may willingly put it aside just to know that their working environment is guaranteed working and up-to-date.
I suspect this will be more so in the future. as systems get more complicated, people will be more than happy to trade a little of their privacy just to recieve the applications they want, working and with guarantees - without doing any work for it. I'd say doing this on the internet may very well mean taking a lot for granted on the privacy side (I wouldn't do it without pgp or something), but if you are in a local network in a company - wouldn't you happily run an office application from the server. wouldn't you happily keep all your files on a file-server, if you are sure that it is secure and you get them backed-up regularly for it...

p.s. how's this for the most versatile setup - a unix/linux network where everybody sits on a linux box which he can choose to operate as an x-terminal, a full server or anything in between...

Security != Micros~1

[ronfar]

Hmm, you know what I think is a huge security hole in Hotmail and numerous other Websites? The idiotic autocomplete feature in Internet Explorer! Why do I say idiotic? Because it is default turned on! Who's bright idea was this! I know that many people have been asking me how to turn it off and how to get their old passwords out of the things. I mean, how many people at a low level of computer literacy have accidentally left their passwords on school, library and other public computers by now. I'd be really interested to see that number.
I remember my Dad used to be really paranoid about cookies, but this is worse, because even sites that eschew storing passwords, etc. in cookies can still be subject to the dangers of auto complete.
Of course, this will not earn any big headlines because it is a "feature" of IE. Oh well...

PC E-mail crack!

[ronfar]

Hmm, many of the ordinary POP3 E-mail accounts that you can get through, Outlook Express, Netscape, Pine, or Eudora can also be accessed here:

http://www.mollymail.com

Combine this with the auto complete feature I reference above... and how secure is any E-mail accessed through IE? Also, I've used hotmail to access my school E-mail accounts (I've been with them since before they were assimilated by Micros~1) because I know my school accounts can disappear at any time anyway (that's how it is at my school) so I'm not concerned about their security.

Epiphany

[softweyr]

Reading this column, I just had an epiphany. As the author went round the bend from analyzing what the latest giant hole in HotMail meant to how this proves Open Source is an extinction-level event for Microsoft, I finally realized an important point I have been groping for the past several years.

I can now characterize the primary difference between Linux zealots and BSD zealots in one simple phrase:

Linux zealots are firmly convinced that Open Source software is going to save everyone, while BSD zealots only care about saving the nerds.

Think about it: this simple difference in viewpoint encompasses the differences between the developer communities, the user communities, and even the hallmark licenses of both camps: the GPL which vests ownership of the code in ``the community'' vs. the BSD license vests ownership of the code with anyone who wants to use it.

It is hard to say which will prove to have the longest lasting effect on the world at this point. I have a pretty jaded viewpoint on how much John Q. Public wants to be saved from the evil that lurks within his phone, television, or internet connection, so long as he can figure out how to use it by watching a video that is not more than 1 commercial break long.

As for my house, we will stick with the nerds. I'm too busy to save the world. Even from themselves.

decentralization makes things worse

[jetson123]

Decentralization in the form of end-user-run PCs doesn't solve any security problems. A single bad line of code in Windows opens up millions of Internet-connected PCs just as surely as a single bad line of code in Hotmail. But in addition to bugs, end users that maintain PCs generally have little experience or understanding of security issues.

Central, server-based applications remove a lot of chores and cares from users. That's no different from other centralized utilities: people used to generate their own power and water, but today, most people rely on utilities. Those utilities generally do pretty well and provide reliable service. Occasionally, they do something dumb, or they just have bad luck, and a lot of people end up having service outages, but from the point of view of each individual, the service is usually still very reliable.

From the point of view of security, a diversity of professionally run computer services both beats a Windows/PC monoculture and a single huge server.

As for Hotmail--what do you expect? It's a free service, so why should they assume any liabilities? If you want a company that stands behind their security, you probably have to pay for the service. And you have to do a little bit of shopping to identify companies and vendors that actually care and know something about security.

agreed

Microsoft makes USER-FRIENDLY programs and makes boatloads of money.

Meanwhile there's this neat little O/S called Linux that is a hella more secure and FreEe :)

Linux programmers are in it for the self glorification while M$ is in it for the aLmIghTy DoLla'.. we'll see who wins.. I'm rooting for Linux =)

Re:No disempowerment for the technically aware

The external societies support stupid people, give them great jobs and elevate them to the status of "artist". The Internet appears to demean them because here are a lot of people who consider themselves smart having fun and all the stupid people (in this field) are sitting around using hotmail and complaining how slow it is. We have a society here that doesn't support stupid people but every day the stupid people stand up and open their pockets and who can resist parting a fool from his money? I'm more in faviour of an Internet Entry Test than anyone these days. If you try to join an external society you have to show your worth and sit an exam, the internet should be no different. (BTW - I'm posting annoymous because slashdot changed it's IP (don't post a story on that or nuffin guys!) and that never-expiring-cookie invalidated itself. I havn't logged in for months, no idea where my password is, and the "mail password" button is ignoring me - QuantumG).

Undertow

The shift in the balance of power between users and the owners of a server-based service, is implied by the sever-side model. If you choose to engage in this model, by necessity you seed almost all control to the owner of the server. It's your choice. When problems occur, usually it is the amount you paid which determines the size of the remedy. If you're using a free service, well, too bad.

While it is easy to attack this model, I will say that for the enterprise, it is a perfect way to control PC related costs and the information that is stored on corporate systems. That said, it is irresponsible for Sun to try to gain bottom-up support for this model by appealing to the lowest common denominator. They were completely impotent when it came to selling this vision to corprations, where it should have and could have been greeted with open arms.

The only person responsible for addressing your best interest is you. If you choose to abdicate that responsibily to a corporation, do it with your eyes open.

Re:Wha?

werd.. and I sit behind the most annoying firewall on the planet. Damn good point tho.. we're not all click-download-read-click-url-click-msword-attachm ent-click users.

Murphy's Law....

[RoLlEr_CoAsTeR]

guarantees that something will go wrong, especially when it's most needed to NOT go wrong.

(Because yes, you can want things to go wrong....sometimes...)

Re:Wha?

[JonK]

> Sun makes workstations (You know, like PCs, only bigger) and operating systems, too. Sun couldn't
> have possibly purchased Star Division to make StarOffice work better with these products, could they?

They might have - but not according to Sun: see the press release at http://www.sun.com/smi/Press/sunflash/9908/sunflas h.990831.1.html. Do you want to get in a scrap with Scott MacNealy about his company's direction?
--
Cheers

Jon

Re:Wha?

[JonK]

> Sun makes workstations (You know, like PCs, only bigger) and operating systems, too. Sun couldn't
> have possibly purchased Star Division to make StarOffice work better with these products, could they?

They might have - but not according to Sun: see the press release on Sun's web site. Do you want to get in a scrap with Scott MacNealy about his company's direction?

Re:Wha?

Personally I like using a pop3 account for my nonencrypted Email. Hotmail is a good choice for encrypted mail. When you use Hotmail you aren't passing out your credit card numbers to anyone so you have security through obscurity. As long as you use strong encryption with all parties, you can easily just get a new account. Since older accounts seem to pick up spam every few months getting a new account periodically is a good idea anyway.

Dis-empowerment.

I think Sun realizes that most lusers have no real concept of the differance between "local" and "networked." In the large network in which I work, I am asked several times a day about things residing on the "R Drive" or in "the Common Folder" and such nonsense. Worse yet are the calls asking if "the Netscape Server is down" when a site won't come up. The key here is to remember that it is a good thing for the average user to become dis-empowered, allowing those that know what they are doing to take over the world... ~Hermetic.

What the people want.

[Daemor]

The author seems to contradict himself. On one hand he argues that centralization of services by Microsoft and Sun is evil and on the other he says that "Self-regulation doesn't work anymore." And if self regulation doesn't work the what would? Govt. regulation? I should think not.

Hotmail is not the the only kid in town. It seems everyone is offering free email theses days. So why do so many people use hotmail. Hotmail was one of the first web based email systems and had the largest user base. Thats why microsoft bought them. They saw it as a way to flash the microsoft name in front on more people. So now everytime the average joe gets on the internet, he fires up internet explorer(not netscape that would take a bais aginst ms since he already has a perfectly good web browser preinstalled) and sees FREE EMAIL on his default home page. The Hotmail user base grows exponitaily from all of this new advertising. And all ms did was advertise on their own site.

But WHY do people uses it? Their ISP gave them an email account, which is arguably better. I started to say that it gives people a feeling of anonminity(sp) but most people use their real names and have probably never though about encrypting their email.

Which brings me to my point. People, meaning the masses in general, want a centralization of services. MS and Sun know this and want to offer those services. "Aunt Suzie uses Hotmail so logicaly if I do too things might work better." Now, that much thought probably never go's into it but you get my point. People use hotmail of their "own free will". It's just Microsoft is getting very good at manipulataing that "own free will."

sorry, It's too early to put very much thought into someting like this.

Re:What the people want.

Free will assumes reason. It's for this reason that we don't allow people to bring up their kids thinking that black people are evil for example because it undermines their ability to reason. Mom and Grandma and Aunt Suzie are children on the net, without an idea about what is right and what is wrong. We have a responsibility to educate them about these issues so they can make intelligent descisions and not be exploited.

application servers

[DGregory]

I think that this will catch on, and here's why. Think of all the revenue that Adobe and MS and other software companies lose to people copying the software. They copy it because it's not all that hard to, and the software costs $300-$700 a copy. Most casual users don't want to pay that kind of money for a quality program when they don't use it more than once or twice a week (if that). Imagine an application service provider that has "lean" versions with all the capabilities of the larger copy (maybe only dl the tool when you use it, and then cache it or something), that you can't just copy onto your hard drive and use. Perhaps you sign up to this app serv prov (ASP) for say, $10-$20/mo and can use any of oodles of quality programs. If you use Photoshop, then the ASP gives a certain % or $ amt to Adobe. The software vendors make $ from it, the customer can have a choice of software they wouldn't be able to (legally) otherwise. The "power users" are the ones who generally buy the copy anyways, probably wouldn't opt for this. Maybe as an option to the service, you could choose to save what you make on the server or on your hard drive. If you need to access it somewhere else, then maybe leave it on the server temporarily. Yeah, there are some bugs (like how to stop people from passing the password to one account around) but those are the intricacies for the programmers to figure out. :) I prefer to keep my email on a server rather than on my local hard drive. There always comes a time where I have some info in my mailbox (saved or inbox) that I need to access, and wouldn't you know, I've got my laptop and not on my desktop, or I'm at a friend's house. Anything business related is on the company's server behind the firewall (which we use IMAP so it's always on the server, and with Iplanet, is accessible from anywhere, securely). Just because one "free" email service has a security hole doesn't mean that all internet services that store data are insecure.

oh, users pay

[philg]

As Bill Gates said in that Simpsons episode, "I didn't get where I am by writing checks." That is, Microsoft wouldn't be doing it -- and certainly wouldn't have paid beaucoup d'argent to do so -- unless they were profiting from the users in some way. A few ways, in fact; they include:

• Viewing the ads. (Actually least important, given ads' relative ineffectiveness online.)
• Marketing information. I don't have a Hotmail account, but I imagine they get enough info to sell to direct marketing -- even if 90% of their users explicitly refuse this, that's 4 million names. Take out half for fake accounts, that's 2 million.
• Mindshare.
• Mindshare.
• Oh, yeah, and mindshare. "Who's the monolithic company that's an email machine to all the chicks? Microsoft!" MS makes more than a little money off the idea that they're huge and unstoppable.

Ironically, MS probably perceive their reaction to this as strengthening that last point. With many people, they may be right. The message seems to be "shut up and take it, we own you." It's a lie, but I recall a certain other large organization based on the idea that if you shout a lie long enough and loud enough, people will start to believe it.

And the Nazis weren't even incorporated.

phil
Kinda please with himself for worming the Nazi comparison in... :)

Re:oh, users pay

[zantispam]

Danka

Re:Wha?

[behrman]

Okay, perhaps this would be why?

Assumptions: Home (l)user, using windows, 56k modem (probably a "win"-modem) dialup internet access, doing taxes, versus some yet-to-be-implemented network computer setup that involves a minimal OS, connected to an 'application server' through something like a X session, or something.

In order to get to your home windows (l)user, you've gotta get to them while they're connected, which could be for a day, or could be for 10 minutes, while they check their e-mail. And then, you have to hope that they haven't put that data on a zip disk, or a floppy, or something like that. And I know plenty of windows (l)users who save *everything* to floppy disks because they're "afraid of a hard drive crash that could wipe out everything". (keep in mind, here, that we're talking about the joe average home user, not the /. crowd. :))

If this (l)user was using some sort of NC service, all one would have to do is crack the security on that service. Then you would have access to this (l)user's data, as well as everyone else's in one convenient package, unlike having to go from machine to machine to machine to pick up several users' data.

This is not to dismiss the importance of the bug (or, wait, don't they call that a "feature"?) in either system. And it's kind of borderline 'security through obscurity'. But, overall, I think that I would feel more secure knowing that my data is stored right here where I can keep an eye on it, over having my data stored on some server located God knows where, that is constantly being hammered by attackers trying to get to this virtual gold mine of data. (maybe what I'm getting at is that my local PC isn't as attractive of a target as some NC server that has a few thousand people's data on it?)

Just my thoughts...

blah

[pzil0cyb3]

There's no significance at all and I can't understand why this "hack" has created so much attention in the media. This isn't the first time that Hotmail has been "hacked".. It's really no big deal at all.. okay so this person has access to 40 million accounts or whatever.. ooOoh he can get into your MAIL! what will he find? Credit card numbers and super secret passwords?!!? probably not. If you keep lots of important personal stuff in your hotmail account then you're an idiot, but on the other hand like 99% of the mail they will encounter is either a) chain letters, b) an advertisement as hotmail is notoriously known for, or c) just a little email from one buddy to another.... yes there is the *possibility* for them to find personal information or whatever, mostly passwords for acounts on other services.. whoopee doo..
but people get real.....

Before hotmail was bought out by M$ there was a CGI error that allowed anyone to access every account.. *ooh* i haCkEd hotmail. yay lots of e-mail and if I'm actually bored enough to read all of this I may get some info out of it.... bah.... the only information I ever found was the dirt on a few girls I was interested in :) I got bored with it and actually felt guilty so a few months later I e-mailed hotmail supervisors telling them of what I had found and how to fix it.


If hotmail or anything similar gets hacked/cracked again, the problem will be fixed in a heartbeat, just as this recent exploit was fixed. no big worry. the end.

Re:blah

Right on! The hack just shows the REAL PROBLEM is that email information is useless! We demand less privacy lest some email have content which could be exposed to pure stupidity.

NO MORE REAL MAIL!

SPAM FOR ALL!

Re:blah

Credit card numbers and super secret passwords?!!? probably not

There are many Idiot out there.

Re:blah

If hotmail or anything similar gets hacked/cracked again, the problem will be fixed in a heartbeat, just as this recent exploit was fixed. no big worry. the end.

A heartbeat? Microsoft does NOT have a history of quickly fixing bugs. How long did the .htr bug in IIS last? I think it was over 7 days! This Hotmail security problem was found on Sunday and it took halfway through Monday before they even decided to disable the service! A very long fix. If another security problem occurs I'm willing to guess that it will take another 18 hrs. Is that a hearbeat to you?

It matters not who, but how fast..

[dpdx]

If a hole such as this exists, in this day and age, IT WILL BE FOUND, and possibly exploited.

Does anyone remember who cracked 32-bit RSA encoding the first time? I don't, but I'll bet some of you do remember that it took the combined resources of the Internet something like 9 months to crack one simple text blurb with 32-bit encryption. That's why it's effective, and the larger the encryption, the more effective it becomes.

By comparison, how long did Hotmail even exist before they rolled out this "feature", what, two years tops? Furthermore, how long after they rolled out the unsecure "feature" did it get jacked? Not long at all. Are people going to ditch Hotmail? Hell, yes. Why? Because they can't trust it.

What I'm getting at is that tracing the person who found this hole (I can't even call it a crack with a straight face) is less productive to the community at large than is 1) fixing the problem and/or 2) not letting it happen in the first place. If you're running a mail service, for God's sake, leaving a hole in it like that is inexcusable.

Free is a very good price, as they're fond of saying here in Portland, but it's probably not a good price for mail services.

Re:It matters not who, but how fast..

[Greg+W.]

it took the combined resources of the Internet something like 9 months to crack one simple text blurb with 32-bit encryption.

I believe you're referring to a 56-bit RC5 key. You can check the distributed.net archives to find the details.

Re:It matters not who, but how fast..

[nowonder]

Just wait a moment ... 32-bit RSA is not much of a challenge. Has not been so for quite a long time.
32-bit means 10 decimal digits at the most. A good
factoring routine can factor a 10 digit product of two approximately 5 digit prime numbers in a quite
short time even on a single i386.
Of course I see the point of supposedly (but not
proven) non-polynomial growth of complexity while
increasing key sizes. I think you were refering
to the first break of a 128-bit RSA key...

Wha?

[Jonathan+C.+Patschke]

Okaaaay... Perhaps I'm missing something here, but just exactly why did this make Slashdot's "news-worthy" cut?

Maybe the link's wrong, or it's written in a languagy syntactically identical to English where all the words have different menaing, or something because all it looked like to me was a lamer suit-type whining about his latest conspiracy theory.

Case in point: Our friend the author here seems to think that since HotMail (TM and (R) as necessary) is an Internet-based service, it is inherently less secure than PC-based email. Okay, here's a question. Before I click that "Check for new mail" widget, where is my mail? OH MY GOSH! It's out there on that scary Internet! ARRRGH!

Okay, that sort-of nullifies his whole argument. Email is spooled on networked machines anyway, not sent directly from workstation to workstation. He fails to realize that all email has the same potential risk, and the first line-of-defense has much to do w/ quality of server software, and network security. These things can be fixed to a large extent.

Also, our friend the authordroid seems to be mistaking storing applications on a remote sever with storing data on a remote server. Is there really any problem with accessing an application via network that updates itself automagically and lets you save your data either on the server or locally?

Perhaps, though... the application is really being controlled by pinkos hiding out at Sun who are reading your steamy letters to your girlfriend! Please! Enough with the conspiracy theories! Sun makes workstations (You know, like PCs, only bigger) and operating systems, too. Sun couldn't have possibly purchased Star Division to make StarOffice work better with these products, could they?

No, one shouldn't have to be an auto-technician to drive a car, but you should at least know enough so that you're not completely stranded when your tire blows out, or know who goes first at a four-way stop. Does anyone know how we got to live in a society where people pride themselves on not having to know things?

By the way, Mr. Stalder, that's HotMail Crack.

From a Sun Microsystems bug report (#4102680):

Re:Wha?

[Keju]

The majority of desktop users are running a particular OS that will remain nameless. A single security hole there can and does have serious ramifications. How is this any different from putting all your eggs on a server?

Re:Wha?

[G27+Radio]

JP said:
Email is spooled on networked machines anyway, not sent directly from workstation to workstation. He fails to realize that all email has the same potential risk, and the first line-of-defense has much to do w/ quality of server software, and network security. These things can be fixed to a large extent.

Actually, the first line of defense should be part of the e-mail *client*, not the server. It's the last paragraph of this article that indirectly points this out--the paragraph that says "Free, easy to use, public domain cryptographic tools are a necessity."

Crypto is your only real privacy protection. It's ridiculous that it's not readily available for everyone--it's not as if the technology isn't there. No, this won't stop DOS attacks and such, but it will guard your e-mail from prying eyes.

By the way, you may actually have better privacy on Hotmail than on your ISP. I've talked to former ISP employees that admit to printing out their users' "juicy" e-mails and passing them around the office each morning for fun. Besides that, cool software like Ethereal makes e-mail passing through your network segment on it's way to the server quite easy to read if it's unencrypted.

If you expect anyone other than yourself to protect the privacy of your e-mail, then you are kidding yourself.

numb@g27.org

Re:Wha?

>Sure its cheaper and easier to keep 40 million
>people's e-mail (the entire history for many,
>not just their recent e-mail) on one set of
>large servers. But that same concentration means
>one single flaw in security can expose that
>entire quantity of e-mail (as was just
>demonstrated.) When e-mail is stored locally on
>end-user's machines the risk is distributed, and
>each person can be more responsible for their
>own safety.

Okay. Sure, it's easier and cheaper to store everybody's money in a few large organisations, let's call them banks, but that same concentration, while it may mean that one single security flaw can expose all that money to theft, I wouldn't want to suggest that we all therefore stuff our mattresses with banknotes and sleep with a pistol under our pillows.

Data (and that's what email is) isn't that different from money, and some people don't want to have the hassle of owning and controlling the computing equivalent of a rottweiler and a handgun just to look after their own information.

The moral is, though, if you do outsource your data storage, make sure you pay for a decent service.

Re:Wha?

[dondelelcaro]

While I don't claim to agree with the authors examples, (In fact I think many of them are just plain wrong), I do see that in the future, as we attempt to use more centralized forms of data storage, a single crack can cause more damage than ever before.

I kind of feel that this comes back to the old addage, "Don't put all of your eggs in one basket." While there is nothing evil about centralizing information, the consequences of a single crack are far greater... while the danger is still the same...

From a users standpoint, when you put your money in a bank, you kind of expected to be there when you need to withdraw it... the bank should not be loosing your money all over the place...or have your money stolen by Kro0kS... you don't really need to know how the FDIC (I think) insures the funds... you just expect your money to be safe. I don't know if any of us (well, most of us?) really understand the safe guards on our bank accounts, nor on the global ATM network...

Ideally, a system, such as Hotmail should be secure. Granted, total security is never possible, but it should at least be reasonably secure...

In short, distributed computing poses the same series of dangers as a centralized network, but generally the reprocussions of a crack are not nearly as bad on a distributed network...

Don Armstrong -".naidnE elttiL etah I"

Re:Wha?

[jflynn]

"Okay, here's a question. Before I click that "Check for new mail" widget, where is my mail? OH MY GOSH! It's out there on that scary Internet! ARRRGH!"

Well you just said it -- *new mail*. Sure your e-mail passes thru the internet, but it spends very little of its time there. Most of my e-mail has been safely in its folders on my system for months, and only on the internet for hours.

The other issue is concentration of resources. Sure its cheaper and easier to keep 40 million people's e-mail (the entire history for many, not just their recent e-mail) on one set of large servers. But that same concentration means one single flaw in security can expose that entire quantity of e-mail (as was just demonstrated.) When e-mail is stored locally on end-user's machines the risk is distributed, and each person can be more responsible for their own safety.

"Also, our friend the authordroid seems to be mistaking storing applications on a remote sever with storing data on a remote server. Is there really any problem with accessing an application via network that updates itself automagically and lets you save your data either on the server or locally?"

You know, I think thats an excellent idea for web apps like StarOffice and HotMail, keep the files locally, the applications centrally. But I get the impression it wasn't an option for HotMail. It won't be an option for those on WebTV either (like we care -- I know.)

I have nothing against Sun's plan to market web applications, they have a lot to recommend them in ease, price, and convenience. We have to be realistic about the flaws too though, or we're going to see too many more incidents like the recent HotMail crack.

Jim

Another Microsoft Innovation

[angelh]

As long as Microsoft exists they will be issuing security patches just so that they can claim a new "innovation" each time.

There are NEVER guarantees.

[Terao]

Has anyone ever seen any sort of guarantee on any sort of software? No?!? Didn't think so.

Re:There are NEVER guarantees.

Viruses are guarenteed to have bugs. :)

MS Hotmail login

I just installed a fresh Win95b from CD. The first time you start IE it says: "This page will only be shown the first time you start IE... *Get your own free MSN Hotmail eMail Account!*"

Clicked that, page not found.

Wrong!

The article's author is wrong!

This BS about the dis-empowerment of the user is starting to become tiresome.

He's right, PCs DID empower the user. Anyone can buy a PC and be as empowered as they'd like. Install any OS you want. Write all your own applications too if you want!

The 'average' user has been empowered past his capacity. He has the tools to do anything with a computer that Microsoft or Sun can do. He doesn't have the ability and since he's a single person, he doesn't have the time.

So companies full of smart people get together and pool their collective resources and they create services like Hotmail & Star Office Portal.

Does this dis-empower the user? No. These services are optional and free. The user can try to make his own mail & office suite.

Does this empower the user? Yes. You can do more with these services than you can without them. They cost nothing and they're optional.

Did the phone company disempower people? How about electricity and running water? How about oil companies? After all, before these companies, a person could get water from a well or pump their own oil and refine it themselves to power their own generator to make their own electricity. Now THAT's autonomy!

Here's a suggestion: stop keeping score of who's powerful and who's weak and go get something done! Star Division and Hotmail created good products that have helped a lot of people. What have YOU created that's helped a lot of people?

the net "for everyone else"

[jetpack]

As services on the net become ubiquitous and even your grandmother starts to use those services, I suspect that things will be changing. For the most part, I thought the story was a bit bogus, but the last statement was interesting:

Another way is to create mechanism of accountability, which replace fancy worded "commitments" with "binding obligations" so that screwing up really hurts. Like in most other areas of life.

I suspect that the truth of the internet service future is summed up rather well here. The more folks use these services, the more pressure there will be for providers of these services to be accountable. Admittedly, policing the net seems intractible. On the other hand, that doesn't mean some bright cookie won't figure out a decent way to deal with it.

For instance, what if Texas decided that it would make net service providers accountable for the stability and security of the services they provide? Maybe they would let anybody sue a Texas provider that didn't meet that provider's claims of stability and security in the hopes that companies would flock to Texas with the idea that net-users would consider Texan providers more accountable, hence generating more business localy?

IANAL, but such things seem at least possible. Or maybe there is a completely different idea out there floating around that would produce the same result.

I suspect that in a world which allows idiots to sue McDonald's because the coffee they ordered was actually hot will eventualy devolve into a world in which Joe Average can sue Provider-X for losing his index.html and not having a backup on the server.

I don't like it, but that seems to be the way things are going.

Re:the net "for everyone else"

Texas Internet providers would have to buy expensive liability insurance and no one would operate a service there except for Texans who want to dial-up. And those citizens would pay more and have fewer choices than people in other states. Duh!

Re:the net "for everyone else"

[jetpack]

[0] read it again. I'm talking about service providers (as in Hotmail, E-bay, Amazon, etc), not ISPs

[1] if said service providers could make substantially more cash than by operating out of another state, they would happily pay the insurance.

[2] I'm not suggesting this is the only possibility, only that it is A possibility.

Re:the net "for everyone else"

I suspect that in a world which allows idiots to sue McDonald's because the coffee they ordered was actually hot

My understanding is that McDonalds had a policy of running the coffee brewers too hot so they could get more coffee from less grounds.

The "idiot" was hospitalized with 2nd and 3rd degree burns that required skin grafts.

fat client vs. centralized server

The article misses the point of manageablity of fat clients versus a centralized server. A bug in a client program can take man-years for the fix to propogate. Think of the small problem found with Vixie cron recently, and estimate how many man-years of Linux admins' time was used to fix each individual system and how long it will be before all of the vulnerable versions are updated. Now, think about the collective time it takes the world to fix a problem with slashdot. Rob fixes it once, and it is fixed for everyone. This is why Microsoft having to fix a single server program isn't nearly as big of a deal as something like the Window's ping of death (that requires a fix to each individual machine). Solving this problem of propagating fixes is how I make my living. I convert legacy dBase and FoxPro programs (that companies are sick of having to continually update versions on potentially 100's of clients) into web-based applications written in PHP/MySQL.

HTML Based E-mail access... Should I worry?

[Nipok+Nek]

Recently, my ISP added a "HELPFUL" page on it's Web Page that lets me access my E-mail through HTML, insted of the regular POP system. I didn't ask for this. I don't wan't this. Until recently, I just ignored it. Though I have read as much information on the Hotmail Crack as I could find, I haven't been able to determine if whatever happened to them is something I need to be worried about or not. Is/was the Hotmail crack something specific to their implementation, or was it something about the HTML interface that caused the insecurity?

Nipok Nek

I FOUND THEM!

[grndcontrol]

Hey look! I found all the commas missing from that article in my couch. ----> ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,

Suing McDonalds for hot coffee

[Zach+Frey]

It's funny how those little "technical details" can make the difference to a story ...

suspect that in a world which allows idiots to sue McDonald's because the coffee they ordered was actually hot will eventualy devolve into a world in which Joe Average can sue Provider-X for losing his index.html and not having a backup on the server.

I used to think that suing McD's for hot coffee was stupid too, until I learned some more details about that case. IIRC, the temperature of the coffeee was 170degF, about 50degF higher than food service "industry standard." This is hot enough to cause third degree burns. The lady who sued McD's originally approached McD's to see if they would cover her hospital costs for those third-degree burns that the spilled coffee caused her. When they told her "get lost, that's not our problem," she then got a lawyer ...

It was uncovered, as part of the fact-finding for the case, that McD's in general, and that particular restaurant, had received numerous, documented complaints about the temperature of the coffee being high enough to cause burns. Yet McD's had chosen to ignore the problem. It was this pattern of negligent behavior that lead the jury to award punitive damages as well.

McDonald's never admitted fault or responsibility, but for some mysterious reason, they soon after changed the settings on their coffee heaters down closer to 125degF, not hot enough to burn.

I'm not sure it's possible for an ISP to be this recklessly negligent concerning human health -- it's awfully tough to hurt anyone with bits and bandwidth. While there are stupid lawsuits and greedy lawyers out there, there are also stupid, greedy, negligent companies out there who won't do the right thing unless a judge makes them do it.

"Morality cannot be legislated, but behavior can be regulated. Judicial decrees may not change the heart, but they can restrain the heartless."
-- Dr. Martin Luther King, Jr.

Re:Whiners

and we've been saying for years that they will. With a few notable exceptions (GIFWorks is cool but you only really use it to compress your banner ads which you WANT people to see).

Tired Car Analogy...

You know, I really get tired of the damn car/mechanic analogy. It just doesn't work. You can send and receive email without being a systems programmer. You can get documents created and dissiminated without be a graphic design specialist. The fact is, you can "drive" your computer, you just have no idea as to how safe you are

keep it

if crackers want to read my 'sensitive' emails between me and some hot 'lesbian' from NYC, they can go right ahead. i always sent my emails knowing that someone can, and is probably reading every one of them. i'm not surprised at all that this happened.. especially since microsoft took it over.

What really annoys me...

[Enoch+Root]

...is that every time some lame M$ site is cracked, people start thinking none of the Internet is secure. When a virus strikes some Windoze 95 workstation, they figure no OS is secure. When their precious NT workstation bombs, they think it's to be expected from any networked workstation.

Hotmail being cracked is not the end of Web-based mail. It's just a sign that M$ isn't doing its homework when it comes to security, and that people should withdraw their support for companies that do not provide secure storage and operation, if it's an important concern of theirs.

It certainly is one of mine, and all it means is that I use encrypted Webmail for less significant yet private issues, and PGP when I want real privacy. And it's why I do not have nor ever had a M$-owned Hotmail account.

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Tired Car Analogy...

You know, I really get tired of the damn car/mechanic analogy. It just doesn't work. You can send and receive email without being a systems programmer. You can get documents created and dissiminated without being a graphic design specialist. The fact is, you can "drive" your computer, you just have no idea as to the health of your car. You still have to take it to a mechanic and he can lie, cheat and swindle you because you are uninformed. How is this different than computer security? Well, it's not. Actually, most people probably just have an overly inflated opinion of what their email is worth. Compared to proper automotive functioning and physical safety, most peoples e-mail security rates quite low. This guy is a terrible thinker and has no idea what he is talking about and you all should know better. But I digress, if you know, you are empowered. Period. And it will never change. So sorry if you'd like a different scenario where ignorant users get the full power of personal computing. They don't, can't and never will. And you know what? It's a fucking choise! One that each of us makes. I tend to think computing is that important to me, so I choose to learn about it. I spend my time, energy and effort. And once in a while, I am rewarded. So pardon me if I don't give a damn if Billy can't compute. Unless Billy has a disability, tough. And AFAIK, laziness is not a disability. Next argument...

Err, he's wrong.. DEAR wrong..

[Thomas+Charron]

Ok, couple of things here:

A) EMail has always been stored on a server. All they offer is a web based reader.. It is sent to a server, routed by servers, and delivered to the reader, from a server.

B) StarOffice running under Java is NOT RUNNING on the %#$&^&$*@#%#^$ server. Java does NOT RUN on the server, for CRYING the FRIG out loud.. The java class files are presented to the user is some way, and the JVM runs it..

This article is barking up the wrong tree.. There isn't any skunk up that tree..

Death to sysadmins

[Compuser]

You can't trust another party, big or small.

Wrong, wrong, wrong.

[mnot]

...With[sic] sounds almost like mainframes all over!

You're not rebuking the idea of centralised computing, you're playing on people's prejudices against 20-year old dumb terminals that were hard to use.

In huge centralized system the effects of such attacks are greatly magnified because one single line of code can suddenly open millions of mailboxes.

And one line of bad code can't be much more of a risk on millions of PCs running the same (browser, e-mail, etc)? At least on a centralised server, it can be fixed for good, by qualified people.

You invariably end up with no rights what so ever, and you are likely not even to know it because you would have to be a computer scientist and a lawyer at the same time.

What exactly does this have to do with the matter at hand? How will putting a PC that needs to be configured, maintained and supported on every desktop help here?

Centrally managed computing (like Sun may offer) is a good answer for companies that need to manage hundreds or thousands of desktops for clueless users in a sane manner. Noone is shoving anything down your throat. Yes, believe it or not, the big, nasty corporations aren't, in this case, trying to rob you blind, curtail your precious rights, or anything else. They just don't care.

The key different between HotMail and StarOffice (as a service) is that StarOffice will run INSIDE the company, and therefore be the responsibility of "friendlies", NOT an external service provider.

Of course, they'll probably make it a net-available services as well, but so what? Big corporations *gasp* are still responsible for writing a lot of the software out there.

I don't know exactly what the author is trying to do here; it seems like they've strung together a list of 'hot-button' issues to make some kind of statement, one that we've heard many times before. It doesn't add anything really useful.

Re:Wrong, wrong, wrong.

[mnot]

Well, _I_ won't fight you on it! *grin*

I use a NCD 16 two-color X-terminal that's about 10 yrs old for 80% of my work (besides reading e-mail and some Web, basically). It in turn runs ctwm, xterm, xclock, xterm, xterm and xterm.

You're absolutely right - for actual work, very little is needed if you've got half a brain and a well-identified task.

Of course, that cuts out large swaths of the corporate world...

Nothing New

[Detritus]

Any time you deal with a large corporation or government agency they are going to dictate the terms. The terms will be written by lawyers who will do everything they can to promise nothing, disclaim all responsibility and force you to waive any rights that you might have.

It is the same situation with license agreements for software. In the USA, the UCC and common law give consumers rights for purchased goods. The software industry does not want you to have any rights or remedies.

The Shift Is Technology Based.

The posts fails to grasp why we are moving back to large systems sitting in the middle of the network instead of little machines talking to each other.

Way back when, Moore noticed and projected his Moore's law saying that the speed and size of an individual processor would keep doubling. Great. So little iron gets the low costs of making millions of the little guys, mass market support, and low upgrade costs. Big iron only benefits from Moore's law, and falls behind. This happens for a decade or two.

Now the decade is over, and the tide turns the other way. Sun Microsystems, especially, has figured out a scaling law that says it can effectively (linearly) network an increasing number of processors. Over some period of time both the number of processors and the speed of processors double. Add in the shift from hardware costs to software costs, and big iron makes a comeback.

So, we've got a reason for big centralized machines to come back. If you want to make a case against this tide of technology, make it. If you can't, protest only as a luddite.

The Devout Capitalist
thalia4242@excite.com (Don't you hate the broken login script).

One line of code

In huge centralized system the effects of such attacks are greatly magnified because one single line of code can suddenly open millions of mailboxes.

One single line of code can open zillions of Windoze 9* machines.

The time it would take to distribute the fix is going to be a tad longer than the time it took M$ to fix hotmail. That's the biggest advantage of centralized systems...

Breace.

Re:Sun is living in the past and MS is -- well --

[Thomas+Charron]

Ok, let's try this again.. A Java Applet is just a class file.. It serves up files, and runs *TADA* on your local machine. I regularly use a 386 to serve up files, including several very large applets..

Servlets run on a server, and this has NOTHING to do with them..

nah!

[cthonious]

I agree with the author in that using an ISP for an application service is a little nuts - well, maybe it's OK if you don't care about privacy at all.

However, centralization is a good thing. PC's are a total nightmare to manage. Keeping applications centralized within a company or home is a terrific idea; really, the way things are done with windows is pure madness. I can't wait 'til linux takes over.

Hotmail breach leads to sex scandal in Sweden

[Markee]

The Swedish newspaper Expressen reports today that the Hotmail security breach has led to some serious consequences in Sweden. Someone used the "security issue" to steal and publish the email of a circle of Swedish prostitutes, containing data about their customers including sexual preferences. One of the customers named is the "leader of a major Swedish company". My Swedish is, ahem, a little rusty, but here is the article. (No, Babelfish doesn't offer Swedish as a source languange.) I saw it reported first at ct News Ticker (in German).

Operamail.com

I use it too. It's ok, no cookies. I just wish it could check my POP3 account as well.

I disagree

[volkris]

I really disagree with this article.

The move toward networked PCs is completely different from a move back toward dumb terminals. Terminals had their data pushed to them from a server with complete control, and PCs pull their data from whatever servers they want, and this is the key. Networking PCs therefore adds MORE power instead of taking it away.

However, I agree strongly that encryption is very necessary here. It shouldn't matter that the servers were breached because noone should be able to read the mail anyway! As long as my data is on a computer I have no control over, I should never trust it completely, and I should have the power to encrypt the smack out of it. This move would do more to put power to the users than anything else.

~Chris

too much centralization is dangerous

[Tim+Pierce]

Putting all of your valuable information in one place makes a more tempting target for crackers than spreading it all around. This is a basic principle of information security -- big centralized servers with terabytes of data are more interesting targets than hundreds or even dozens of smaller servers.

Security hackers know this very well. It is one of the chief arguments that Abelson et al. have used to rebut the notion of key escrow. See The Risks of Key Recovery, Key Escrow and Trusted Third-Party Encryption.

It is clear to me that the author of this article was addressing this general problem with centralization and how it affects huge centralized mail services like Hotmail and the push toward "servlets". It is troublesome that many readers are so quick to dismiss the inherent problems of overcentralization.

Re:trusting MS? I killed My hotmail

I used to use hotmail when it was HotMail. The day MS bought it i know its going to be hacker playground so i stopp using it.

The author is unbelievable

We're not all idiots like the author. Most of us open src types dislike Microsoft for more intelligent reasons.

Slashdot guys: I think it's good to include articles like these from time to time. Imagine if Microsoft found this article before we could all poo-poo it. It would fit nicely into a PR smear campaign of the open source community. ("...another example of religious zealotry towards Microsoft from Germany... Idiots around the world attack Microsoft daily - do you want to be an idiot?" Ok ok, bad example, I leave better examples to PR-twisted drones.)

Hackers = Crackers, ask any layman

Too late to try to change it. We might just as well give in or invent a new vocabulary to replace the current ambiguous one. Suggestions ?

AC

Sun is living in the past and MS is -- well -- MS

[hknust]

There will be no business in online applications as Sun is hoping. The essentials of everyone's computing needs will be covered by open source and that will include an office package. Suns move is commendable, but it is too little too late.

Sorry!

No disempowerment for the technically aware

[Morgaine]

Although the article raises some interesting points, it paints with too broad a brush when saying that computer users are becoming disempowered. It's yet another case of statistical generalization, which may delight journalists and politicians but is always very annoying to those that don't follow others like sheep nor benefit from it. Some users are disempowered, yes, namely those that are not able to assess for themselves whether relying on a service like Hotmail or a company like Microsoft is a good idea, and those who are not able to make the right evaluation and move to other pastures. But does it disempower you, as Slashdot reader? Almost universally, no, because for the most part people who use this forum are competent enough to know when to leave a sinking ship or not to expose themselves to the hazard in the first place. We're not the Borg. We're individuals, and just because statistically something appears to be happening to some computer users doesn't mean that it is happening to computer users in general. There always will be people who are challanged in one or more areas and who as a result are prone to some group-specific ailment, but you can't extrapolate from that to the universe of people when that universe is as diverse as that of computer users.