Passport's Pocket Picked 327
emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?
Did anyone not see this coming? (Score:4, Insightful)
With passport, microsoft wishes to be the customs agent of the internet. However, with flaws like this they really are not going to turn many people over to their side.
I'm sure more exploits will pop up in the future. Most of them will likely use hotmail in someway or another to enter.
Public knowledge (Score:1, Insightful)
single point of failure (Score:4, Insightful)
Re:What happens when someone steals the basket wit (Score:5, Insightful)
Only the discoverer of the hole will be forced to announce it anonymously, and publish it only in dark little places where the lawyerly eyes of Microsoft won't find it. And unscrupulous eyes will.
I can see it happening already. And Microsoft would not even hear of the hole until it's far, far too late. It will be a very, very dark day if information is compromised on this scale.
The DMCA in this case would directly contribute to the destruction of the integrity of the Passport system.
Simply put - if only outlaws find security holes, then only (genuine) outlaws will have access to them.
What about PayPal etc.? (Score:4, Insightful)
Also, I had no idea 165 MILLION people were already using Passport - I suppose my OS hasn't asked me enough times to sign up for it until I break under the strain...
Passport liability (Score:4, Insightful)
Re:Burning Reichstag (Score:5, Insightful)
What they always have done. Rush a half-finished product out the door, and use whatever leverage they have to force it on whoever they can, while keeping the engineers busy in the back room with the bubblegum and duct-tape. Eventually, they'll get around to releasing a decent product.
Course, I won't be buying it then either. 8*)
Another lesson to be learned from this (Score:4, Insightful)
like Microsoft. But there are other 'takers'. Some even with the best of intentions.
If any of them ever gets to be the one and only 'central repository', they will be subject to just this kind of attack as well. If you can't compromise the service, then hack into the user's desktop. As soon as enough people use it, it becomes a very attractive target. In a similar vein, there have been viruses that target the client end of home-banking software.
Security is enhanced by redundancy, by having several distinct systems in place, preferably as dissimilar as possible. Monoculture and monopolies always form a fertile environment for viruses and other pests.
I feel this makes the whole idea of a centralized service like Passport or any of it's competitors an extremely dangerous development.
What about the other ways your CC # can be stolen? (Score:3, Insightful)
How often do you hand your credit card to a server at a restauraunt? A store? Over the phone to pay for something? Are you forgetting that your credit card number can easily be stolen that way? Most receipts from purchases have your credit card number on them. Do you shred / burn them to stop someone from getting your CC #?
Re:it isn't just about hotmail and passport wallet (Score:3, Insightful)
As good as MS has been at reacting to problems, I think the fear here is that MS has not shown much interest in being PROactive in preventing such problems, particularly problems with such potential for ruining people's credit histories or bank accounts. If that is a legitimate fear, then it's a whopper!
As you imply, this is the tip of the iceberg, if Passport is intended to be the be-all, end-all for
---
Re:Did anyone not see this coming? (Score:5, Insightful)
Hotmail is also the source of all of the passport accounts. Microsoft knows that Windows XP is not going to generate enough Passport accounts to entice web sites to start including Passport hooks. Hotmail, on the other hand, is very popular, and already has millions of users. Besides, if Microsoft can't design a secure Passport site, what is the chance that the bozos at your bank are going to be able to design a secure Passport site?
In other words Hotmail is both the primary draw for Passport, and an important proof of concept. Unfortunately for Microsoft it is also a huge gaping pile of security holes.
Re:And think... (Score:2, Insightful)
If you are stupid enought to trust ANYTHING vital to Microsoft in the first place then you deserve to have it stolen.
I want to see the press release they put out on this, i can see it now
"Here at Microsoft we are devoted to security, those evil hackers have again stolen your information, we must pass more laws punishing the offenders and in the future we will assure that nothing like this will happen again"
What he is saying is (we want to throw the smart people in jail so only idiots are left to use our software)
Re:Wow (Score:1, Insightful)
I don't think I'd bet on people or the media being able to make the distinction between "Microsoft's network products aren't safe" and "The Internet isn't safe". It's very possible that a crappy and widely exploited implementation of Passport (wallet) would be more threatening to e-commerce in general than to Microsoft in particular.
Re:Passport liability (Score:2, Insightful)
Re:What about PayPal etc.? (Score:2, Insightful)
Hotmail accounts are Passport accounts. This probably accounts for the bulk of them. A non-zero number of Hotmail accounts are inactive, or are just used as throwaway accounts. Interesting to see figures on this.
Microsoft just changed their Hotmail policy to require a login every 30 days or they'd disable your Hotmail. If you pay them money, you can get an upgraded account that includes never being disabled (while yu pay) and more storage. Still has a paltry attachment limit though.
Re:Burning Reichstag (Score:3, Insightful)
No one knows, or cares (Score:5, Insightful)
They are happily using their Hotmail accounts and have NO clue that these things exist. Sure, they might have it in PC World, or maybe the Technology section of the Times, but my MOTHER does not read these things. Only us geeks in the industry know ( we are a small percentage of the population).
Microsoft will fix this to appease the security experts, but that's about it.
As long as Joe Sixpack can stay happily ignorant, MS is happy. For example, one of my friends, a very intelligent Nuclear Physicist, just got suckered in to a CompUSA MegaPC w/ 1.2 GHZ, 1 GB RAM , DVD RAM and Windows XP for anout 5 Grand. He browses the web PERFECTLY fine on his 988 MHZ PC. He said the "pretty colors" of XP sold him. I told him of the security flaws and reasons for not going with XP (never mind the absolute non-necessity of the PC), and his response was "How come I haven't heard about these things you talk about?" I had no answer. That's how Microsoft stays in power. If we step outside the industry for a minute, we can see that Linux means nothing to most people, AOL IS the internet, and Windows IS a computer. How do we fix this? I don't know, but someone must.
Re:Anyone ready for that negligence suit? (Score:2, Insightful)
-z
Re:Microsoft leaked it anyway (Score:2, Insightful)
If you were a serious thief, you'd be no more apt to reveal the exploit than a magician to reveal the trick.
Visa... MasterCard... the banks... they all lose piles of money annually, yet say nothing, due to the negative marketing impact.
The DOJ's "Stop, or I'll say 'Stop' again" deal with Mr. Softy amounts to a fart in a thunderstorm. The only real judge, jury, and executioner is the market. When people tell Billy G. to talk to the hand, we're not swallowing your latest lock-in scheme, regardless of the good aspects of the engineering and convenience offered, then we can see about real competition.
Only the market, by refusing to buy flawed products, can improve the QA of anyone.
Re:Just when I was about to give in... (Score:2, Insightful)
Installing XP: Do you want to sign up for a passport account?
booting up for the first time: Cmon, sign up for a passport account.
starting up internet explorer: Sign up for a passport account. I'll be your freind!
entering hotmail: Oh yeah? well I'm not going to let you go here unless you sign up for passport!
this is a dramatization. I haven't used XP, and I don't want to(I have enough waiting in my life, thank you very much
Re:What about the other ways your CC # can be stol (Score:3, Insightful)
You do realize that you can be held liable for whatever charges your card incurs if you do not follow this kind of practice, dont you? And you do realize what happens if you are held liable for a $10K shopping spree that someone went on with your credit card? You pay it, you pay it at once, or your credit rating is slashed, you default on your house mortgage as your bank suddenly wants their money back and their money back _now_, you wont be able to get a new loan and you'll have to sell pretty much everything you own.
Im not kidding, I've seen that happen. I have a coworker who makes as much as I do, who can barely afford to eat lunch in the company resturant. Your life suddenly becomes a helluvalot more expensive once you're put on rapid payback on all your loans and the interest rates you're paying are doubled.