Slashdot Mirror
The Significance of the Hotmail Crack
Slothrup writes "Telepolis has an interesting piece linking the problems at Hotmail with the Sun purchase of Star Division. An excerpt: 'What this the Hotmail hack shows is that the Internet's self-regulation
doesn't work anymore because it relies on the assumption of more or less
equal participants. This is clearly no longer the case.' " Interesting piece. Definitely worth a read.
One the one hand, you have people like me who use Hotmail as a spam catcher. (I do actually skim for actual messages to me once a week or so, in case someone's trying to reach me through it.) If someone got into my account to read all my spam, I couldn't really care less.
On the other hand, for those that actually use it as a major provider for their email, they've got to weigh the possibility of a breach happening to Hotmail in the future (and not happening to the other web email services) against the hassle of getting all their acquaintances to use their new email address. As someone who still gets email from an account I closed over two years ago (it still gets forwarded to me thanks to an understanding ISP), I can testify that it's a pain. You also have to consider that those people who do use web email as a major provider are rarely the type to come into contact with hacker types -- they're more the ma and pa type of user -- and were very unlikely to be targeted.
Cheers,
ZicoKnows@hotmail.com
Sun is a HARDWARE and SUPPORT company. True, they sell Solaris, at a loss. True, they sell lots of products under the Solstice banner, but usually they're just 3rd party products with Sun's Stamp of Approval. Java is merely a part of the strategy to continue to sell big servers - Java applets (whats' that? StarPortal did you say???) need to be served, and, in the size and scope that Sun is thinking in, (40 million users? (there's a convenient number...)) by the very servers they produce.
Honestly... Weather the software is open source or not won't matter to Sun. Its just that RIGHT NOW the available commercial software is better for the markets they look at (Koffice will be _great_ but its not there yet, and its not written in Java)
And the server-centric model is the right one... At least from a management perspective.
--
We are Microsoft. You will be assimilated. Resistance is Futile.
Don't like my sig? I don't either.
the article never mentions that as a hotmail user.. you never pay for support or even service. If you want greater control over your mail.. there is plenty of competition.. local ISPs.. large national and worldwide too. The key is that you have to pay something for it. Open source isn't the answer to everything. As far as I am concerned the only thing it has proved to do is breed innovation and stable, relatively bug-free applications. It doesn't however come with any guarantees.
The author misses the point in that we're not talking about self-regulation; Microsoft instead faces market regulation. MS has competitors in the freemail business, and will lose customers from Hotmail because of its security issues.
If MS had a natural monopoly in freemail (like if Hotmail had a patent on the concept), I'd agree that self-regulation is insufficient. But in this case, the loss of customers and ad revenue for Hotmail, not to mention loss of MS credibility, will hurt them more than a few lawsuits from disgruntled parties.
My Blog. Sela Ward can sell me long distanc
>If you use it for serious mail, you're an idiot. Which is of course what most of us have been saying for years, but seeing as no one listened until now, I do think all the noise is justified. The point of the discussion is suposed to be something along the lines of: "If Hotmail stinks and can't be used for serious work, will all other Internet applications stink as well?"
/. is like a steer's horns, a point here, a point there and a lot of bull in between.
-
WHAT?
Were you not listening to what we were talking about? Hotmail sucks, it's got a crap HTML interface that's slow and full of adverts and it's not secure and full of spam. What on earth would you want a Hotmail account for?
You get to choose your own username and you can access from anywhere, not just from college. It would have been useful when I was in America last month.
Um, yeah, or you could just get a proper pop/imap box from somewhere other than your school and learn how to access it from another computer. It's not hard.
Didn't work of course. She's still planning to get a hotmail account. Nothing I could say would convince her otherwise coz all her friends are using hotmail and they all think it's great coz you can access from ANYWHERE.
Bah. I'd sooner telnet to a pop3 port than face the nasty Hotmail interface.
Here's a somewhat off-topic cnn blurb about the slashdot response to the hotmail crack.
It's quite a compliment when cnn gets it's news by reading slashdot. Tee-Hee!!
-- What you do today will cost you a day of your life.
Central, server-based applications remove a lot of chores and cares from users. That's no different from other centralized utilities: people used to generate their own power and water, but today, most people rely on utilities. Those utilities generally do pretty well and provide reliable service. Occasionally, they do something dumb, or they just have bad luck, and a lot of people end up having service outages, but from the point of view of each individual, the service is usually still very reliable.
From the point of view of security, a diversity of professionally run computer services both beats a Windows/PC monoculture and a single huge server.
As for Hotmail--what do you expect? It's a free service, so why should they assume any liabilities? If you want a company that stands behind their security, you probably have to pay for the service. And you have to do a little bit of shopping to identify companies and vendors that actually care and know something about security.
That's why you don't say "Press F1" you say "hit the F1 key" (no most users will not strike the key with a hammer when you say "hit"). If this boggles them, you say, "should be right at the top". Then it's "hit the return key" if they're on a mac or most unix boxen, or "hit the enter key" if they're on a PC. Any good tech will know whether it's called Enter or Return to avoid lots of confusion.
I'm just genuinely glad I never worked for external customer support, so users had to at least be able to find their ass with a map and compass in order to work there. Still, I've asked people what kind of computer they're running, and they say "NEC Multisync" (pronouncing NEC "neck" of course).
I've finally had it: until slashdot gets article moderation, I am not coming back.
> Sun makes workstations (You know, like PCs, only bigger) and operating systems, too. Sun couldn't
s h.990831.1.html. Do you want to get in a scrap with Scott MacNealy about his company's direction?
> have possibly purchased Star Division to make StarOffice work better with these products, could they?
They might have - but not according to Sun: see the press release at http://www.sun.com/smi/Press/sunflash/9908/sunfla
--
Cheers
Jon
Cheers
Jon
If a hole such as this exists, in this day and age, IT WILL BE FOUND, and possibly exploited.
Does anyone remember who cracked 32-bit RSA encoding the first time? I don't, but I'll bet some of you do remember that it took the combined resources of the Internet something like 9 months to crack one simple text blurb with 32-bit encryption. That's why it's effective, and the larger the encryption, the more effective it becomes.
By comparison, how long did Hotmail even exist before they rolled out this "feature", what, two years tops? Furthermore, how long after they rolled out the unsecure "feature" did it get jacked? Not long at all. Are people going to ditch Hotmail? Hell, yes. Why? Because they can't trust it.
What I'm getting at is that tracing the person who found this hole (I can't even call it a crack with a straight face) is less productive to the community at large than is 1) fixing the problem and/or 2) not letting it happen in the first place. If you're running a mail service, for God's sake, leaving a hole in it like that is inexcusable.
Free is a very good price, as they're fond of saying here in Portland, but it's probably not a good price for mail services.
_____
The antidote to bad speech is not censorship, but more speech.
Okaaaay... Perhaps I'm missing something here, but just exactly why did this make Slashdot's "news-worthy" cut?
Maybe the link's wrong, or it's written in a languagy syntactically identical to English where all the words have different menaing, or something because all it looked like to me was a lamer suit-type whining about his latest conspiracy theory.
Case in point: Our friend the author here seems to think that since HotMail (TM and (R) as necessary) is an Internet-based service, it is inherently less secure than PC-based email. Okay, here's a question. Before I click that "Check for new mail" widget, where is my mail? OH MY GOSH! It's out there on that scary Internet! ARRRGH!
Okay, that sort-of nullifies his whole argument. Email is spooled on networked machines anyway, not sent directly from workstation to workstation. He fails to realize that all email has the same potential risk, and the first line-of-defense has much to do w/ quality of server software, and network security. These things can be fixed to a large extent.
Also, our friend the authordroid seems to be mistaking storing applications on a remote sever with storing data on a remote server. Is there really any problem with accessing an application via network that updates itself automagically and lets you save your data either on the server or locally?
Perhaps, though... the application is really being controlled by pinkos hiding out at Sun who are reading your steamy letters to your girlfriend! Please! Enough with the conspiracy theories! Sun makes workstations (You know, like PCs, only bigger) and operating systems, too. Sun couldn't have possibly purchased Star Division to make StarOffice work better with these products, could they?
No, one shouldn't have to be an auto-technician to drive a car, but you should at least know enough so that you're not completely stranded when your tire blows out, or know who goes first at a four-way stop. Does anyone know how we got to live in a society where people pride themselves on not having to know things?
By the way, Mr. Stalder, that's HotMail Crack.
From a Sun Microsystems bug report (#4102680):
Pining for the days when The Glorious MEEPT!!! graced SlapDash with his wisdom.
er, 'up at the top'. one tries to avoid using words like "right at". otherwise people will look for it at the top right. i'm so glad the clue level is higher here so i don't have to remember these things.
I've finally had it: until slashdot gets article moderation, I am not coming back.
The article's author is wrong!
This BS about the dis-empowerment of the user is starting to become tiresome.
He's right, PCs DID empower the user. Anyone can buy a PC and be as empowered as they'd like. Install any OS you want. Write all your own applications too if you want!
The 'average' user has been empowered past his capacity. He has the tools to do anything with a computer that Microsoft or Sun can do. He doesn't have the ability and since he's a single person, he doesn't have the time.
So companies full of smart people get together and pool their collective resources and they create services like Hotmail & Star Office Portal.
Does this dis-empower the user? No. These services are optional and free. The user can try to make his own mail & office suite.
Does this empower the user? Yes. You can do more with these services than you can without them. They cost nothing and they're optional.
Did the phone company disempower people? How about electricity and running water? How about oil companies? After all, before these companies, a person could get water from a well or pump their own oil and refine it themselves to power their own generator to make their own electricity. Now THAT's autonomy!
Here's a suggestion: stop keeping score of who's powerful and who's weak and go get something done! Star Division and Hotmail created good products that have helped a lot of people. What have YOU created that's helped a lot of people?
As services on the net become ubiquitous and even your grandmother starts to use those services, I suspect that things will be changing. For the most part, I thought the story was a bit bogus, but the last statement was interesting:
Another way is to create mechanism of accountability, which replace fancy worded "commitments" with "binding obligations" so that screwing up really hurts. Like in most other areas of life.
I suspect that the truth of the internet service future is summed up rather well here. The more folks use these services, the more pressure there will be for providers of these services to be accountable. Admittedly, policing the net seems intractible. On the other hand, that doesn't mean some bright cookie won't figure out a decent way to deal with it.
For instance, what if Texas decided that it would make net service providers accountable for the stability and security of the services they provide? Maybe they would let anybody sue a Texas provider that didn't meet that provider's claims of stability and security in the hopes that companies would flock to Texas with the idea that net-users would consider Texan providers more accountable, hence generating more business localy?
IANAL, but such things seem at least possible. Or maybe there is a completely different idea out there floating around that would produce the same result.
I suspect that in a world which allows idiots to sue McDonald's because the coffee they ordered was actually hot will eventualy devolve into a world in which Joe Average can sue Provider-X for losing his index.html and not having a backup on the server.
I don't like it, but that seems to be the way things are going.
The article misses the point of manageablity of fat clients versus a centralized server. A bug in a client program can take man-years for the fix to propogate. Think of the small problem found with Vixie cron recently, and estimate how many man-years of Linux admins' time was used to fix each individual system and how long it will be before all of the vulnerable versions are updated. Now, think about the collective time it takes the world to fix a problem with slashdot. Rob fixes it once, and it is fixed for everyone. This is why Microsoft having to fix a single server program isn't nearly as big of a deal as something like the Window's ping of death (that requires a fix to each individual machine). Solving this problem of propagating fixes is how I make my living. I convert legacy dBase and FoxPro programs (that companies are sick of having to continually update versions on potentially 100's of clients) into web-based applications written in PHP/MySQL.
You're not rebuking the idea of centralised computing, you're playing on people's prejudices against 20-year old dumb terminals that were hard to use.
In huge centralized system the effects of such attacks are greatly magnified because one single line of code can suddenly open millions of mailboxes.
And one line of bad code can't be much more of a risk on millions of PCs running the same (browser, e-mail, etc)? At least on a centralised server, it can be fixed for good, by qualified people.
You invariably end up with no rights what so ever, and you are likely not even to know it because you would have to be a computer scientist and a lawyer at the same time.
What exactly does this have to do with the matter at hand? How will putting a PC that needs to be configured, maintained and supported on every desktop help here?
Centrally managed computing (like Sun may offer) is a good answer for companies that need to manage hundreds or thousands of desktops for clueless users in a sane manner. Noone is shoving anything down your throat. Yes, believe it or not, the big, nasty corporations aren't, in this case, trying to rob you blind, curtail your precious rights, or anything else. They just don't care.
The key different between HotMail and StarOffice (as a service) is that StarOffice will run INSIDE the company, and therefore be the responsibility of "friendlies", NOT an external service provider.
Of course, they'll probably make it a net-available services as well, but so what? Big corporations *gasp* are still responsible for writing a lot of the software out there.
I don't know exactly what the author is trying to do here; it seems like they've strung together a list of 'hot-button' issues to make some kind of statement, one that we've heard many times before. It doesn't add anything really useful.
Although the article raises some interesting points, it paints with too broad a brush when saying that computer users are becoming disempowered. It's yet another case of statistical generalization, which may delight journalists and politicians but is always very annoying to those that don't follow others like sheep nor benefit from it. Some users are disempowered, yes, namely those that are not able to assess for themselves whether relying on a service like Hotmail or a company like Microsoft is a good idea, and those who are not able to make the right evaluation and move to other pastures. But does it disempower you, as Slashdot reader? Almost universally, no, because for the most part people who use this forum are competent enough to know when to leave a sinking ship or not to expose themselves to the hazard in the first place. We're not the Borg. We're individuals, and just because statistically something appears to be happening to some computer users doesn't mean that it is happening to computer users in general. There always will be people who are challanged in one or more areas and who as a result are prone to some group-specific ailment, but you can't extrapolate from that to the universe of people when that universe is as diverse as that of computer users.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra