Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Bug

Another Hole in Hotmail 219

Ancipital noted that a new hotmail hole has sprung up. This one is, like the ILUVYOU bug, a VBS macro attachment that must be executed by people with very (ok, who does this, huh? I mean, viewing a gif or clicking a URL, but running a strange program? The mind boggles).
This discussion has been archived. No new comments can be posted.

Another Hole in Hotmail

Comments Filter:
  • Maybe they were overwhelmed by dialog boxes popping up and were just doing whatever it took to make the dern thing go away.
  • About six months (mainly as a spamcatcher) and I quit using it when it became necessary to have javascript enabled to access my account. I have the nasty stuff turned off in Netscape.

  • Sure they can. In 1996, 34% of the American public voted for Bill Clinton... again.

    When you look at pop culture, and other countries leaders, it's obvious that most people are that stupid. I'm surprised the result wasn't higher.
    --

  • The attachment you are about to open may contain a virus. To continue opening, type "virus threat accepted", otherwise press return.

    On a very similar idea you could also have a form where there was the explanation, in which was said at the end to type "yes" or "no" into a text box and click okay. Perhaps something short but unique could be used for each different box. I think "virus threat accepted" is a little long, users might make a typo and not figure it out.

    E.G.
    You are about to format your disk. Formating your disk will erase all the information on it. Type "format" into the text box and click okay to format. Type "no" or click cancel to stop this operation. Remember, this formatting the disk will erase all information on it.
    ---------------
    | &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp &nbsp|
    ---------------
    &nbsp &nbsp [okay] &nbsp &nbsp [no]

  • Shouldn't that be Monday OR Friday?
  • Never used hotmail.

    For the online signup stuff, I have a pseudonym that has an e-mail alias on my own domain name that sends incoming mail to /dev/null

    Very convenient - I never even see the spam.

  • Maybe it's time to be less GUI and force the users to think (FDISK does something similar):

    The attachment you are about to open may contain a virus. To continue opening, type "virus threat accepted", otherwise press return.
  • Same kind of thing when you go to an AOL chatroom and tell them they can get your pic by pressing ALT+F4, it's been around forever, but the cluebies still fall for it. Idiots. :\
  • Slashdot poll suggestion:

    In order to continue reading the pr0n trolls on Slashdot, you must pour a bowl of hot grits into your hard drive right now, and click OK. Do you wish to continue?

    1. Yes
    2. OK

    (Glossary: "hard drive" is usually used to denote the secondary storage device on your computer...)

  • I wonder what hotmail does if you check the "remember my password" option..

    It probably just sends you the same cookie but with an expires field, so the browser will store the cookie on the hard drive. If the cookie doesn't have an expires field, then it's kept only memory. If you need to login as a new user, restart the browser.

    Of course, if one is going to do something like this over the Internet, it should be encrypted. BTW, slashdot isn't the only one. Linuxtoday.com uses plaintext cookies for authentication also.

  • Message I got when deleting my spam bucket:

    Message to Hotmail Members

    We apologize, but your account is temporarily unavailable. This delay does not affect the entire site or relate specifically to your account, but the machine that holds your account information is temporarily unavailable. We do not expect this delay to last much longer, so please continue to check our site for your account status.
    We will do our best to make your account available as quickly as possible. We appreciate your support, and sincerely apologize for the inconvenience.

    © 2000 Microsoft Corporation. All rights reserved. Terms of Service Privacy Statement
  • Naah, no-one would be stupid enough to embed a plaintext user password directly into an authentication cookie. Well, maybe Microsoft and Hotmail, but no-one who had the slightest clue about the issues Slashdotters care about.

    Would they?

    #!/usr/bin/perl -w

    open COOKIE, $ENV{HOME} . "/.netscape/cookies" or die;

    while (<COOKIE>) {
    if (/slashdot/) {
    chomp;
    my @args = split;
    my $cookie = pop @args;
    $cookie =~ s/\%25//g;
    print pack("H*", $cookie), "\n";
    }

    }

    --
  • If hotmail works on your machine, so will this.

    I once read that Wingate was full of holes. You might want to look into that.

  • Actually, they were infected by the Intelligensia Virus, which causes dumb people to make what they believe to be intelligent, informed decisions..
  • I hadn't thought about it quite like that. While dialog boxes in Windows are not limited to error messages, maybe they should be.

    ...and you're right, I run Gnome on my PC at home, and the only dialog box message that I get regularly (that I ignore) is the one that tells me I'm running the Gnome File Manager as root and that I could damage my system if I'm not careful.

  • I don't use Hotmail. Does it automatically display HTML attachments?

    Using an HTML file to execute malicious javascript seems pretty straightforward. Are any of the other web-based email services (Yahoo, Eudoramail, Mac.com, etc) vulnerable to similar attacks?

  • If your mental age stayed in the single digits, I suppose it could approach a low number, since you IQ is your mental age divided by your physical age.
  • Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.

    On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.


    Hotmail stores your user information in a session cookie, not a persistent (disk) cookie. If you close all your browser windows and access hotmail again, you are required to enter your password again... unlike Slashdot I might note.

    I know the session cookie has an expiration period, but I don't remember what it is. Probably something like 20 minutes.

    -konstant
    Yes! We are all individuals! I'm not!
  • HTML and RTF allow us to format email far more effectively than plain text ever will. Shouldn't we just make them more secure?

    You use RTF for email? HTML -- if stripped down to the most basic tags -- I can understand, but why RTF?

  • by Anonymous Coward on Wednesday May 10, 2000 @06:08AM (#1081009)
    I thought this story was quite. Besides being, it was to read! I wonder why Microsoft can't get off, and implement.

    This is not, the JavaScript exploit in existence! Microsoft should, otherwise the users. The mind boggles.

    But then again, I rarely. So who. Well!
  • I got a Hotmail account years ago (my first email account, and before MS bought Hotmail). I still have it, although I don't use it that often. I really only use it as an alternate account during the summer, since my school account won't let me log in from a different server, and because several of my friends keep sending me stuff at that address even though I keep giving them the new one.

    ---
    Zardoz has spoken!
  • And the other 2/3 - 1 persons clicked no? Only one remembered not to run that executable?

    Right?

  • "ok, who does this, huh? I mean, viewing a gif or clicking a URL, but running a strange program?"

    Not everyone knows the difference. They see the attachment and click. After the last one, I sent an explanation of how to figure out what kind of file the attachment is (by looking at the extension) and why it's important to know before you click on it.
    Since I support a hundred-plus windows users, I'm not really surprised that people don't know this. I'm sort of irritated, though, that if I don't tell them stuff like this, they aren't going to learn it anywhere else. The programs don't have little warning screens about it, and no one will ever RTFM, so they're stuck. Good thing we don't use Outlook here, eh? We still got last week's virus, but only two people lost .jpgs over it.

    -jpowers
    You Know You've Been Watching Too Much Ranma 1/2 When...
  • It seems to me that it would be fairly trivial to embed an ActiveX component in an HTML email, to mess with people who read their mail with ActiveX-enabled software (Hotmail via MSIE, Outlook, etc.). Since ActiveX is just plain-vanilla binary executables with the most minimal security imaginable, it could do all sorts of unpleasant things when viewed. It could, for example: propagate itself (by interfacing with Outlook), embed itself into every HTML file on the user's hard drive, embed itself into all outgoing HTML mail (in which case it could become nearly uncatchable), send all sorts of info over the net, install backdoors, etc. I'm surprised it hasn't been done already.


    ---
    Zardoz has spoken!
  • It is not a matter of educating people. We will never be able to educate everyone enough. People will always be stupid. Even if you are the smartest person, you still do remarkably stupid things. I have yet to meet the person that can not qucikly think of at least 5 times they did things that any rational person would comment as completely stupid. As for people cliking in an email for most users a computer is as much of a magic creation as the internal combustion engine. How many drivers know exactly how their car works and can repair it? These computer users are the same ones that repeatedly send forwards on because if they send it to 200,000 people Timmy will receive millions in health care and they will see a cool qt movie on their pc. People do stupid things. We will continue to do stupid things. Therefore education helps but people will always clik a button if the pros seem to outweigh the posssible negatives. Or even if it is jut in front of them. just my one cent.
  • Oh my god.. I think I need to get some sleep...
    --
  • you see, this is the problem with the world today. everyone is so concerned with the format and correctness of everything, not of what it is trying to tell you. it doesnt matter one bit if his grammar is wrong, if he spells something wrong, etc, its just being anal about something so completely insignifigant that brings nothing but stress to everyone. get over it, it not going t affect your life if someone talks differently then you do, and if it does, your life must not be worth that much.

    point in case, my lack of capitals and most punctuation, i hope it gives you nightmares.

    -Malachai
    -Sometimes i want to masturbate but then i feel that i dont deserve myself.
  • We've had the same here in Luxembourg where a local radio station reported that ILOVEYOU had destroyed millions of computers (Did their CPU explode?) but completely forgot to mention that one could just delete the mail without launching the attachment and that's it.

    They also said that there were no Antivirus tools available that could detect VBS.LoveLetter which was just plain wrong, as I had downloaded updates for InnocuLAN, McAfee, Norton AV and AVP about 2 hours before their report.

  • Hmm - a tip. When looking for karma, try getting your facts right. As anyone who reads /. should know, you can't put anything programmatic in a cookie (and that includes jscript).

  • by thimo ( 36102 ) on Wednesday May 10, 2000 @09:46PM (#1081019) Homepage
    The point was that people don't read the dialog.

    Yes, but the point was that users *might* think that formatting the HD is a good thing. Sometimes it is, when you detect Windows on it, to install OS blablabla ;), but normally it is not what you want. The point of the poster you replied to was that the user doesn't need to know that formatting is bad and thus you don't know for sure 1 out of 3 users don't read dialog boxes.

    Thimo
    --
  • ... is that most users don't know that other extensions than .exe can actually run "a programme". So even if they did see .js or .vbs they wouldn't even know not to run it. For most users, the only way to find out what type a file is, is to double-click.
  • I think he was about to say "with very small cranial cavities", but I could be wrong.

  • Err actually both are not necessarily true. It is not difficult to find a situation where (a) the engine speed will decrease or remain constant; and (b) the speed of the car will decrease or remain constant when you floor the gas pedal (e.g. while going up a steep hill with a small engine or heavy load).

    The name "accelerator" is a bit confusing because it implies that it will cause your car to accelerate. More often than not, it's used to keep your car at a constant speed, and oftentimes it will be used to slow the car down. Most people wisely don't call it an "accelerator".

    Rather, most people call it a "gas pedal" and likewise use phrases like "giving it some gas" and "laying off the gas". This to me shows that they have a very good understanding of what the pedal does: it allows more gasoline into the fuel mixture. Also, it would seem that most people will not expect the gas pedal to cause any sort of positive acceleration when going up a steep hill (for example), so I'd say your assumption that most people just expect it to speed up the car is false. Also, your assumption that it doesn't matter would also seem to be false, otherwise extreme confusion would ensue when people would drive in hilly or mountainous parts.

    This may seem off-topic, but it's not. Would it be too much to ask to give the populous at large the benefit of the doubt? Most people know what's going on with most things, and they don't need it to be overly dumbed down. The worst case of this is retarded software companies who make programs that mimic real-life devices in order to presumably make it "easier to use" (examples are CD players which look like real CD players, chat programs which look like telephones, e-mail programs which make analogies to snail mail protocols). Oftentimes, the program will be come out extremely crippled, and pretty much inferior in every way to its competitors. Also, it come out being a little bit condescending, which I'm sure can't help its sales. People know that an increase in gas in the fuel mixture in their car causes an increase in power because they've experienced it, not because there's a sticker that says "speed" or any such nonsense pasted on to it.
  • Not automatically: the items still have to be selected in order to be viewed. However, that's enough for the script to run and capture session data.
  • I have done a web based email reader recently, and the unique cookie assigned can only be used by the ip address it was issued to. If some other ip tries to request a page with that cookie, it gets rejected. Such a trivial technique, works well too.

    Proxies of course make it look like everyone has the same ip, but this uses SSL which normally doesn't get proxied.

  • Just the addition of an IP address encoded as part of the session key will block out *most* of the people who could grab your cookie for this hack. The only ones it doesn't affect are those with the same IP address as the unsuspecting Hotmail user, which would occur if the Hotmail user was behind the same proxy as the perpetrator. Its an easy change to make, since they are (assumedly) already going back to verify the session key in some respect.
  • Write a Javascript embedded in an HTML that automatically sends the reader to another website. How much damage can you do to a person's PC once they get to a website? Especially with Java or VB/JavaScript?

    The problem would be that it wouldn't take long for the site to get shuttered and the manhunt would be on. Perhaps.
  • People don't want to face decisions.

    Unfortunately, software requires you to make decisions, and dumbly clicking on "OK" all the time is seen just as a quick way to make the problem go away. Unfortunately, it's not the case. Ideally, the user interface of an application should be engineered and designed to stay flexible intuitive, easy to learn while popping up the minimum number of questions. These goals cannot be accomplished all the times for every situation. In such cases, where the full attention of the user is needed, I'd suggest to force him to use a different input device in order to proceed than the one he usually uses. Today it would mean that you'd have to require confirmation via keyboard (perhaps requiring to type an extensive `yes' instead of a simple `y' (or whatever). I know this may be source of troubles, but I don't see alternatives if questions can't be avoided.

  • I developed it on paid time, it was company property. I didn't keep a copy (I don't use Windows at home for anything but games, so I wasn't tempted).

    I was pretty sure it would spread to millions of computers, and I'd get a bonus. Instead I got a pat on the back from the guy in the next cubicle (who didn't install the software either), and the company refused to hire me as a regular employee when my co-op term ended (despite demonstrated ability as one of their best programmers, and their desperate need for a rewrite of an in-house package I was intimately familiar with, I was "unqualified" without a degree). Very disappointing.
  • I also don't use Lookout Express.
  • Yea.. it sure does! Also provokes a swearing response and a tendency to scream if something important is being worked on .. well, it does from me as it's FAR too frequent with my machine running Nice Try SP6 .. i.e. it actually happens. Only time I saw Linux kernel panic was when I had a machine with a dodgy simm socket and half the machine's memory just 'disappeared'.. kinda understanding it would get upset..

    Anyway.. I digress.

    --
  • How does it make you feel when so many here blame Microsoft Outlook for the ILOVEYOU virus. The prevailing attitude is "Microsoft should have protected users of Outlook. Instead of calling it Outlook, better call it Lookout", etc.

    What they are really suggesting is that Microsoft should bundle anti-virus software with Windows and Outlook. Seems to me that the bundling issue got you guys into a bunch of trouble already.

    You can't have it both ways folks. If you are going to split Microsoft in two for bundling software, you can't demand that they bundle more software to protect from virii.

    Ugh. Expecting anything but bigoted bullshit about Microsoft from /. is asking too much, it seems.

  • the tricky part about this is that you don't need to click on the attachment. Hotmail, just like many of the other newer email clients, recognizes it as html code, and embeds the html page into the page automatically. Unless you've changed settings, this will happen without you actually doing anything.

    it's not a vbs file. it's an embeded javascript. there is no virus check run because it's not a virus and there isn't an anti-virus that checks for potentially malignant javascript. Hell, the creator only had to identify the cookie, the username, and the server the cookie was being held on, and automatically send all of this info to another account (which could have been a hotmail account)

    Not everyone had to actually open the attachment.
  • yeah, i thought using that feature in hotmail was cool but after using it for a while i became frightened :D
  • No lie, I work on a college campus with PhD's who will open anything...we had several people run the ILOVEYOU .exe without even thinking twice about and then they piss and moan when I tell them it will be a day or two before I can find the time to come out and rebuild their machines.

    ID10T's....all of 'em.

  • I tried this thing on my Yahoo mail account and it changed the <script> tag to <cursive> :)

  • OK, so bashing hotmail.com in /. is pretty easy, but there is one single aspect that I think makes hotmail the best free web-based e-mail service: they do close spam generating accounts or drop-in box accounts. You guys in this thread seem not to pay much attention to this.

    I used to receive about 5 spam messages a day and never have I sent a complaint with a full header to abuse@hotmail.com I got spam from the same address again. I can't say the same about any other web-mail.


  • Many people don't understand the ramifications of actions online. Just like long ago on AOL, even though the was a warning label on everything, people still gave away thier Screen names and passwords.
  • If you insist on designing software services so easy that an idiot can use them, then expect idiots to use them. Now couple this with a need to "innovate", ie force out upgrades to software with features that people don't need then what do you expect?
  • What kind of grammer is that?

    With very what?! Egads.

    Linux Band Bratwurst Orange [mp3.com]
    Beos Band XIR: Xir is recursive [mp3.com]
  • Except that all news client I know displays the extention anyway so you'll have to save the file and open the folder you saved it to in order to have the extention hidden

    Not exactly the same, is it ?
  • by SethJohnson ( 112166 ) on Wednesday May 10, 2000 @06:12AM (#1081042) Homepage Journal


    This is an embedded javascript exploit, just like some of the earlier exploits (not VBS as described above by CT). Hotmail is filtering out javascript within the bodies of e-mail, but not attached html files. They could remedy this by either filtering attached html files (not so easy to do) or by offloading the attachments to be read from a seperate server outside the *.hotmail.com domain (my recommendation).


    Here's an awesome story [wired.com] about another risk of using web-based e-mail. It describes how your IP address could be identified if the sender attaches an IMG tag to the e-mail and then watches the web server log for when you read the mail and your browser requests the image from her server. Clever.



    Seth
  • I used to do that with Netbus. People would be looking at porn sites or something, and I'd pop up a dialog that said "In order to continue, your hard drive must first be properly reformatted. Do you wish to continue?"

    I was nothing short of amazed at how many people clicked OK. It must have been at least a third, if not half.

  • And let that be a lesson to everyone; you're just not being malicious enough!

    You punk kid virus writers are becoming lazy no-goodniks who just want to live off the government dole! Back when I was a kid, we had to walk 7 miles through unsorted punchcards if we wanted to write a virus; and we didn't have no fancy-schmancy new-fangled "scripting languages", neither, nosirree, we had to imprint the binary on cardboard boxes, which in turn we'd mamble famble until they'd turn into finely crafted executables, yes sirree.

  • theres a Wired [wired.com] article and a ZDNet [zdnet.com] article.

    From the ZDNet article:
    Bennett Haselton, Webmaster for Peacefire.org, said the flaw involves sending a user an e-mail with an HTML attachment. When the user clicks on the attachment, the file sends a copy of the user?s cookie to the hacker.
    Once that cookie is received, the hacker can insert it manually into the Netscape cookies.txt file and use that authentication key to log in to Hotmail as the user. Click here [peacefire.org] for a description of the trick.
    <snip>
    Not a 'trivial bug'
    Since the cookie does not contain the user's password, the hacker can only access the account when the user is logged on and as long as the authentication code is valid. But Haselton said that five minutes would be long enough for a hacker with a prepared script to download all of a user's e-mail messages.

    Best I could see, theres no email floating around doing this - its just an idea at this point. And for it to propagate(sp?) like luvbug or melissa, it'd need a script to use the hotmail address book. As it sits right now, it'd just come from one guy who knew lots of hotmail addresses. Someone correct me if I'm wrong on this, tho :)

    -----
    If Bill Gates had a nickel for every time Windows crashed...

  • What I saw made me laugh over and over again. The news people on almost every channel gave the following advice.

    1.) If you get an e-mail that your not expecting (hmmm all of them!) call the person and ask them if they sent you mail.
    Why don't you just drive over to their house and ask them.... DUH!

    2.) Make sure you virus software is up to date.
    Hello! This didn't work and wouldn't work because this was a NEW virus. They had a virus defintion only hours after the bug hit! What good would it have done!
  • Ok, while I disagree with your point in general, I will concede that it is the meaning of a sentance that makes the most difference. However, a trailing adjective/adverb that modifies nothing is a problem anyone can be justified complaining about. This is why it bothers us when we see stories that have sentances that just
  • Then, when the ILOVEYOU crap started, I had to send 2 separate emails with all caps in the body and a header that read "READ THIS!!" or something to get their attention. In it I said not to open attachments. Several people stopped me to ask; "Is it okay to open attachments?"
    I've always wanted to leave a claw hammer on my desk with a note attached that says:
    This is a hammer. Please do not hit yourself in the head with it. Hitting yourself in the head with this hammer will cause serious and permanent brain damage.
    That way I have something to point to when someone asks me if it's OK to open email attachments. Doesn't work too well over the phone, but I'm sure I could make use of a suitable GIF on the web server..
  • by FascDot Killed My Pr ( 24021 ) on Wednesday May 10, 2000 @06:15AM (#1081070)
    Here's the exploit:

    1) Find a story about technology (if your name is "Katz" this step is unneeded)
    2) Skim the headline of said story to "get the gist".
    3) Submit story to Slashdot, paying special attention to making it seem like this story is related to some hot topic.

    For instance, if the story is about a misconfigured website allowing a security breach, make it seem like the story is related to a recent email worm by working "email" and "Visual Basic Scripting" in there somehow.

    What's the effect of this exploit: In all the excitement of having another Microsoft bashing story will hurriedly type your submission onto the front page with plenty of spelling errors and word omissions.
    --
    Have Exchange users? Want to run Linux? Can't afford OpenMail?
  • by CiaranMc ( 149798 ) on Wednesday May 10, 2000 @06:16AM (#1081073)
    How this seems to work is that someone emails you an HTML file as an attachment.

    If you then view the attachment through Hotmail, Javascript in that attachment can then pretend to me from the Hotmail domain, and therefore access any cookies that Hotmail has set up. It can then submit these values to a form on another, hostile, server.

    These cookies then allow access to the site from a user pretending to be you, allowing them to read and delete your emails or send email from your account.

    It's not clear form the article, but presumably the relevant cookie is the one holding the user's session key. In a typical implementation this key will be useless after 30mins or so, but the length of the timeout is really whatever Microsoft chooses it to be.

    Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.

    On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.

    -Ciaran
  • C is for cookie, that's good enough for me!

    Ah. I feel MUCH better now! Now I have to go delete some email before I lose my cookies! <grin>

  • Comment removed based on user account deletion
  • by LordNimon ( 85072 ) on Wednesday May 10, 2000 @07:22AM (#1081090)
    Your post underscores the fact that many technical people have forgotton the original meaning of the words they use. It's really a shame.

    To you and me, formatting means erasing. But that's only true in techno-speak. In every other context, the word "format" does not imply erasing - not at all! And since very few people actually format their hard drives (and hence, have no experience with the process), how can you expect them to know what that word means?

    When you "format" something, you arrange it. You put it into some kind of order. To most people, that's a good thing! The moron who decided that "format" is a synonym for "erase" should be shot.

    If your application had asked the user to "erase all files on your hard drive", I think very few people would have said yes.

  • by zpengo ( 99887 ) on Wednesday May 10, 2000 @06:19AM (#1081092) Homepage
    I've seen websites that claim to give people access to anyone's Hotmail account. All you have to do is send an e-mail to a particular address that looks valid (something like account-password@hotmail.com) and give them the login of the person whose acct you want to get into, as well as your own login and password.

    I wonder how many people fell into that trap, thinking they were gonna get into someone else's account.

  • the windoze default setting is to 'hide' the three letter file extenstion. If the attached file was named noodiepic.jpg.vbs, it would appear as noodiepic.jpg . Most people would feel safe (yet perverted) by opening this.

    After our beloved NTServer was 'Loved', the people with this setting only noticed the jpg icons had changed and kept infecting away. I changed this setting on all infected users to help remind them what file type it actually is.

  • A lot of people run programs from strangers; the press and computer industry don't do a good enough job of educating people about these things.

    I saw something funny on CNBC during the ILOVEYOU worm outbreak. They were advising people not to save attachments to disk, as that could lead to infection, but to just execute the attachment. Not only was the mainstream media not educating people, they were actively making it worse.


  • I still have my hotmail account, I use it as my "spam bucket". You know those free website that offer free accounts (like the new york times), but you have to give them you email address? Also when registor with search engines, sign up FREE to win crap out there, just use a hotmail account and see how long it takes to fill completly full with spam (it took mine 3 days!)...

    A neat treat though, just put a filter in to filter out anything with 'A' in the subject, they allow like 5-10 filters, so delete everything that has a vowel in the subject line!
  • I've had a hotmail account for about 3 years and I still use it.

    Everytime I sign up for anything on the internet, anytime a webpage asks me for email, any time I have to put in an email address to 'register' a program, or any convention I sign up for, I put in my hotmail address... They then usually ask me a bunch of personal questions. I'm always 25-35 male, I make $100,000+/year and am single. And when you see all those little boxes where you check off your interests? Well, I check them all. Then I check (or uncheck) those boxes that ask me if I want their monthly, weekly, daily email magazine. Oh, and I want all the updates whenever they update their software/web page, etc...

    I currently get 7-8 emails a day at that address.. about twice a week I get one from Hotmail Staff telling me my mailbox is full.. :)

  • That is *absolutely* the case. That's why the ILOVEYOU virus author renamed files not from file.ext to file.vbs but to file.ext.vbs.

    Moderate Chris Hiner's post UP.
  • Naah, no-one would be stupid enough to embed a plaintext user password directly into an authentication cookie.

    what's wrong with using the password for a permanent cookie? someone with the cookie can do anything you can do (post comments, submit articles), so why is it a big deal if they have your password?

    otoh, for something like web-based e-mail where you log in for a few minutes, you want the authentication gone when you leave the computer.

    (i wonder what hotmail does if you check the "remember my password" option..)

    --

  • The proper extension for a Word file with macros is ".dot", because it's a template (a Word template is a dynamic object which produces documents, a Word document is a static object and can't contain code) - just because Word is too stupid to complain if you name it ".doc" doesn't change that. What you're saying is like insisting that a ".jpg" can hold formatted text, arbirary JavaScript, and hyperlinks because if you rename an ".html" file to ".jpg" IE will still open it as HTML.

    At any rate, my program detected macros in files with the extension ".doc". It wasn't a program idea, it was a working program that I tested and proved effective.

    From http://www.emergency.com/wordvrus.htm [emergency.com]:

    An important point to make here is that Word documents (.DOC files) can not contain macros, only Word templates (.DOT files) can contain macros. However, it is a relatively simple task to mask a template as a document by changing the file name extension from .DOT to .DOC.

    I hate pathetic morons who go around insulting people for imagined mistakes without checking their facts.

  • Comment removed based on user account deletion
  • At a certain large Canadian technology company, after having the email shut down by a Word macro virus panic, I once wrote a program that identifies attachments with a ".doc" extension that are actually ".dot" files (Word document templates that could contain macro viruses). If it was a real ".doc", it just opened the file with Word; if it was a ".dot", it put up a dialog box with big biohazard signs that said "This is a falsely labeled file! It could carry a virus or trojan horse! ARE YOU SURE YOU WANT TO OPEN IT?"

    Everyone who saw it, including my boss, agreed that it solved the problem completely. However, nobody installed it, and nobody outside of my department was shown it. It was almost certainly deleted shortly after I left the company, and the vulnerability (to a few specific viruses) solved several months later by purchasing expensive anti-virus software.

    Home users have an excuse: most of them are ignorant. They have a vague idea of some portion of what's on their hard drive and what's on the internet, and of the difference between an application and a document. Corporations, though, want a simple solution: money out, invulnerability to viruses in. The answers have been jumping up and biting them on the nose from any halfway decent MIS department, from security websites, from annoyed articles in the trade papers, but the managers involved want their computers to "just work", and not be bothered with having to think (or making all their employees apply common sense, which, I must admit, is about as difficult as teaching cats to march in formation).
  • My wife uses Hotmail, because she likes the convenience of getting her mail through a web browser, from any computer. I've seen a few apps for Linux that allow you to pull your mail off a POP or IMAP server, and access it through the web (ACME mail comes to mind - http://www.astray.com/acmemail/)

    Has anyone used this, or similar programs? How well do they work? How insecure are they?

    It'd be nice to set up an alternative web mail system....

    ---
  • by ceswiedler ( 165311 ) <chris@swiedler.org> on Wednesday May 10, 2000 @06:41AM (#1081131)
    Oh, yes. I've actually suggested we do something similar at our company. We send out HTML emails to our customers. The URL in the IMG tag doesn't have to be an image at all--it can be a CGI page which redirects to an image. Throw a couple of parameters (like a user-id) into the URL, and the CGI page can record exactly when users open the email. Nifty, eh? I never thought of capturing the IP address directly (not something we're interested in) but it would obviously be possible.

    Wonder if this could be exploited further?

  • I wrote a little "application" that was a simple little dialog box that asked the user if he wished to format the hard drive (in so many words) to see just how many of our in-house users really read those messages - and attached it to an email sent to everyone in the office (around 150 users). (Results were then sent to my computer through TCP connection, for those interested) 1 out of 3 users clicked yes..
    Did you then go back and resolve the IP's to machine locations and send anonymous emails to the users saying "You, sir [or madam as the case may be], are a FOOL!"?

    Why would anyone in their right mind let unknown people run foreign code on their machines? Yes, I get executable attachments sometimes myself, but why would I want to run code that does who knows what? I guess I just know too much about the kind of people out there. Yeah, maybe that's it.

    Just goes to show, once again, that there are two kinds of people in the computer world -- those who know what they're doing and understand the technology, and those who are along for the ride and depend completely on their "gurus" for anything even the slightest bit off the routine.

    I have to rant a little about this because around here 9 times out of 10 people come to me to bail them out when they screw something up, and only one of my jobs pays me for that. I have very little trouble believing that quite a few people would answer "yes" to your question, and not much more trouble believing that they would come whining to more clueful people about getting their files back afterwards.

    ("No, you don't understand. You FORMATTED the hard drive. That ERASES the hard drive. Unless you backed up those files which were ON the hard drive, they're gone. Sorry .. have a nice day ..")
  • So I just tried to send a message through hotmail, and I got a 404-ish error. So I logged back in to Hotmail and later got a message while refreshing saying that the server holding my account was temporarily unavailable. Sounds like they're taking the machines offline to throw in a patch.

    I'm hella pissed, though, because the mail I was sending was to a headhunter I've been talking with about a sweet Linux job and I don't know if it went through or not.

    It's enough to make a person switch over to PEmail. Old habits die hard, though. I've been using Hotmail since before M$ bought them.

    -carl
  • by RavenWolf ( 23378 ) on Wednesday May 10, 2000 @05:56AM (#1081134) Homepage
    I wrote a little "application" that was a simple little dialog box that asked the user if he wished to format the hard drive (in so many words) to see just how many of our in-house users really read those messages - and attached it to an email sent to everyone in the office (around 150 users). (Results were then sent to my computer through TCP connection, for those interested) 1 out of 3 users clicked yes..
  • Like the Dilbert comic where the boss becomes irate at a statistic that 40% of sick days are on Monday and Friday.

    *gasp*!

    Pablo Nevares, "the freshmaker".
  • by Phydoux ( 137697 ) on Wednesday May 10, 2000 @05:57AM (#1081137)
    This reminds me of something I heard a long time ago that has to do with human tendencies:

    "If you tell a man that there are millions of stars in the sky, he'll believe you. If you caution a man about wet paint, he'll have to touch it before he'll believe you."

    You can remind people ad nauseum that you shouldn't execute programs attached to e-mails because they might contain viruses. Most won't remember or believe you until they experience a virus infection for themselves.
    --

  • There was a problem with the code I was using so this wasn't working properly earlier. It is now. There's an interesting article about this type of web trojan on kuro5hin.org [kuro5hin.org]. There's a lot of discussion about it on Zope as well. It affects just about every web site out there.

    I decided not to have the link cause you to profess your love for Bill Gates to this thread. Instead I set up a sid here [slashdot.org].

    numb
  • by jesser ( 77961 ) on Wednesday May 10, 2000 @07:34AM (#1081141) Homepage Journal
    remember the CERT advisory [slashdot.org] in february about untrusted people being able to make it seem like javascript code came from a trusted website? i was wondering when someone would start exploiting this seriously. almost every site with dynamic content that isn't completely controlled by the site's owner is vulnerable to similar attacks.

    the next step is a worm that affects web discussion forums. i wouldn't be at all surprised if slashdot was its main target, just because of slashdot's size and the fact that javascript's security model is messed up on all browsers.

    --

  • by / ( 33804 ) on Wednesday May 10, 2000 @05:59AM (#1081147)
    It doesn't actually do many of the horrible things associated with the ILOVEYOU crap, but it will let someone else commandeer your hotmail account.

    A quick summary: javascript in a rogue cookie on a hostile site tells Hotmail to send its own cookies to someone else. Once that person has those cookies, he has all the authentication he needs to use/abuse the original person's Hotmail account.
  • Actually, 'format' is not a bad term for what it was intended to do.

    But that's beside the point. The fact that it re-initializes the directory structure and allocation tables is nowhere near as big of an issue as the fact that it erases all data on the drive!!!!

    Here's an analogy:

    Stepping on the accelerator in a car will:

    • A) increase the RPM of the engine
    • B) make the car go faster
    Yes, both are true, but so what? When a driver steps on the accelerator, it's because he wants B) the car to go faster. 99% of all drivers aren't that concerned about the engine RPM, even if they know what it is.
  • by iCEBaLM ( 34905 ) on Wednesday May 10, 2000 @07:54AM (#1081154)
    But that's beside the point. The fact that it re-initializes the directory structure and allocation tables is nowhere near as big of an issue as the fact that it erases all data on the drive!!!!

    Usually it doesn't actually. The data is still there but inaccessable because the OS just reset the allocation tables. You're not really losing the data, you're losing the ability to access the data in the intended mannor, its a byproduct.

    Dos even had an "unformat" command.

    -- iCEBaLM
  • including both median and mean. Anyway, because intelligence isn't really something you can put a real number to, we're free to fake a nice balanced bell curve where the median and the mean are the same. I think it works out that way with I.Q.
  • You don't happen to have a copy laying around, I would love something like that -grin- :)
  • From they way this story is worded, I'm led to belive that you could construct a similear javascript to get the cookies from anywebsite.

    Just one more reason that I only use crashscape (Which is what I've been calling that program since 1.1 when I first saw it) with sites I trust. Mostly my bank because they require javascript for some reasons (at least to log in, once I'm logged in I've disabled it with no problems, but that is a pain)

  • by Chris Hiner ( 4273 ) on Wednesday May 10, 2000 @05:59AM (#1081168) Homepage
    What alot of us forget, is that Windows 95 defaults to not showing the extension for files it knows the type of. So if you name a file NIFTY_PICTURE.GIF.VBS, alot of non technical people will see it as NIFTY_PICTURE.GIF. But when they double click it, it runs...
    (Win98 may default to this too, I don't remember)

    I suspect lots of nongeeks leave it at the default...
  • by zpengo ( 99887 ) on Wednesday May 10, 2000 @06:00AM (#1081174) Homepage
    Another grammatically fascinating post by CmdrTaco, and another administratively fascinating event in the history of Microsoftified Hotmail.

    I'm sure that pretty much everyone here has or has had a Hotmail account at some point in the past. Quick poll: How long did you use Hotmail, and why did you finally give it up?

  • People are lazy and don't consider the ramifications of what they do. This puts more burden on programmers to protect idiots from themselves.

    There are many alternatives to Outlook Express (in the case of the love bug) or Hotmail, but people that are too lazy to properly evaluate the suitability and safety of their tools will get hurt. This happens with physical tools

    That taiwanese-brand hammer is way more likely to split and send shards into your eye, but is that your fault or the manufacturers fault? In the US, it is of course entirely the manufacturer's. In the UK, well, the judge would make an arbitrary partition and say it was maybe 60% the manufacturers fault, and 40% mine. Of course the UK approach is much less sane.
  • by Erasmus Darwin ( 183180 ) on Wednesday May 10, 2000 @06:03AM (#1081179)
    It's not the grammar that bothers me, so much as the inaccuracy of the summary. It isn't a VBS attachment that causes the problem, but rather a plain HTML attachment with embedded javascript. Even in a world of "intelligent" users, HTML is expected to be a "safer" document format, rather than "dangerous" executable code.

    I think there're a number of people you could assign the blame to, but no one entity that's "fully stupid". Users should be more careful, Hotmail should attempt some filtering, but most importantly the w3c should provide a means of denoting "third-party" HTML (and other documents) that appears to be from the server, but in reality was placed there by someone else (such as an attachment to an email or a comment in a message board that doesn't restrict HTML).

  • How's "resetting the filesystem" for a name?
  • I normally use Hotmail through Outlook Express (no flames please; my filename extensions are not hidden). When I get a spammer, I just report her [spamcop.net].
  • I think a more fun experiment would be to write a program that asks "This program contains a virus. In order to run this program you must first install the virus onto your computer. A computer virus has the potential to destroy all data contained on the system. Yes, that means you should click cancel if you want to live. [OK] [Cancel]"
  • On a related note, I heard that studies have shown that half of the population make up 50% of the people.
  • You've never worked a help desk, have you?
  • Most people wouldn't think twice about opening a snail mail package addressed to them, even if it has not return address on it, and seems somewhat heavy. That's why the unabomber managed to rack up a pretty decent string before being caught. People don't tend to think that bad things will happen to them when they are using tools that they deal with everyday without understanding.

    To put it another way, while most people think of themselves as fairly decent drivers, how often in the past week have you been cut off, or had the guy in front of you make a turn without signalling? People get so used to using tools that they become careless; this is compounded if the person doesn't understand how the tool that they are using works, or at least had it drilled into their heads the way to safely use the tool.

    It's just a matter of time before people get more careful about opening things they're not sure are safe. I imagine Thag got a lot more careful with fire after watching Thog torch himself.

  • by sammy baby ( 14909 ) on Wednesday May 10, 2000 @06:04AM (#1081201) Journal
    Contrary to the reporting on /., the most recent Hotmail hole is in no way related to a VBS script. What's so alarming about the hole is that it is acutally an HTML file which contains the exploit. More specifically:

    The folks over at Hotmail were smart enough to filter out JavaScript from HTML formatted messages sent to Hotmail recipients. They did not, however, think that it would be necessary to filter HTML attachments, either. As a result, a clever individual was able to construct an HTML page containing JavaScript which forwards HotMail authorization cookies to a third party.

    Ironically, this information is largely reproduced from the article on Peacefire [peacefire.org] cited in the original post. No mention of VBS files anywhere.

A person with one watch knows what time it is; a person with two watches is never sure. Proverb

Working...