Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Passport's Pocket Picked

michael posted more than 12 years ago | from the department-of-insecurity dept.

Bug 327

emmons writes: "It looks like there's another hole in MS Passport according to Wired. This one allowing a user to steal another user's Passport Wallet, credit cards and all, by getting them to open a hotmail message. Nice." What happens when someone steals the basket with all your eggs?

cancel ×

327 comments

Sorry! There are no comments related to the filter you selected.

***ANNOUNCEMENT*** (-1, Troll)

CmderTaco (533794) | more than 12 years ago | (#2514482)

We here at Slashdot [slashdot.org] in no way endorse the links that you will see on many postings to goatse.cx [goatse.cx]

These links to goatse.cx are typically put in posting from Trolls. If you are going to troll this site, please don't or I will redirect your IP to goatse.cx [goatse.cx] any time you try to visit Slashdot [slashdot.org] .

We at Slashdot [slashdot.org] can no longer tolorate this behavior from these trolls.

Furthermore, if you find any further links to goatse.cx [goatse.cx] then please follow this link [yahoo.com] and report it to us for prompt action.

Re:***ANNOUNCEMENT*** (-1)

The Turd Report (527733) | more than 12 years ago | (#2514721)

I agree with this post.

What is the square root of a million? (-1)

medicthree (125112) | more than 12 years ago | (#2514485)

Probably not two.

Re:What is the square root of a million? (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#2514578)

Oh! It's really 1000. 1000 trolls marching beside your bed, at night, as you fall comfortably asleep. . .

Just when I was about to give in... (1, Funny)

ElPresidente1972 (95949) | more than 12 years ago | (#2514487)

and get a Passport. I was about to buckle under the pressure...

Re:Just when I was about to give in... (1)

Sloppy (14984) | more than 12 years ago | (#2514545)

What pressure?

And think... (1)

b_pretender (105284) | more than 12 years ago | (#2514490)

...this is just the beginning.

Do'nt put all your eggs in one basket (4, Interesting)

dattaway (3088) | more than 12 years ago | (#2514554)

Quoting a gem from the article:

"More than 70 sites are in the process of deploying Passport's authentication technology, according to Microsoft. Among them is Prudential Banking's Egg.com online bank, which is switching to Passport..."
Egg.com sounds kind of ironic. Must be quite a marketing effort on Microsoft's behalf getting banks to deploy not tested technology on a mass scale.

Re:Do'nt put all your eggs in one basket (1)

hansk (107187) | more than 12 years ago | (#2514588)

More than 70 sites are in the process of deploying Passport's authentication technology...

Prudential Banking's Egg.com online bank

Give a whole new meaning to "cracking an egg".

Here is the text of the article... (0, Redundant)

mnemon1c (51802) | more than 12 years ago | (#2514492)

To correct serious security flaws, Microsoft on Friday disabled the virtual wallet function of its Passport service and has begun notifying partners about the vulnerabilities, the company has confirmed.

The bugs in Passport, a sign-on service used by more than 165 million people, were discovered this week by Marc Slemko, a software developer who lives near Microsoft's Redmond, Washington, headquarters. Slemko is a founding member of the Apache Software Foundation.
By cobbling together a handful of browser-based bugs with flaws in Passport's authentication system, Slemko developed a technique to steal a person's Microsoft Passport, credit card numbers -- and all, simply by getting the victim to open a Hotmail message.

The attack raises new questions about the inherent security of Passport, which is being positioned by Microsoft as the lynch pin of its .NET e-commerce service initiative.

In a demonstration of the exploit earlier this week, Slemko sent Wired News a specially crafted but innocent-looking e-mail. Moments after the e-mail was viewed using Microsoft's Hotmail Web-based e-mail service, Slemko rattled off, over the phone, the credit card number and contact information from the user's Passport wallet.

According to a notice at the service's site, the Passport wallet enables users to store credit card and address information "in a secure, online location. Only you have access to the information in your .NET Passport wallet."

Introduced in 1999, Passport is what Microsoft calls a "platform service" and is being pitched to merchants and other partners as a convenient and secure means of determining whether site users are who they claim to be.

Besides enabling Web surfers to access Hotmail and several other secure sites with a single log-in, Passport includes a wallet system that speeds shoppers' checkout at dozens of sites that deploy the Passport Express Purchase technology.

In an e-mail today to Slemko, Passport's lead program manager for security and authentication, Chris Peterson, said the wallet service will remain offline until the company can add additional security features "to ensure that similar exploits cannot be used to compromise our user's credit card information."

Microsoft's Hotmail is the largest service currently utilizing the Passport authentication system, but the technology has also been deployed by eBay to allow users of the online auction service to sign into their accounts.

In addition, Microsoft's MoneyCentral personal finance site relies on Passport's sign-on technology.

Prior to being fixed by Microsoft, the authentication flaws discovered by Slemko could enabled an attacker "to do anything as if they were the Passport holder," including editing the user's portfolio at MoneyCentral, or changing user's auctions at eBay, he said.

More than 70 sites are in the process of deploying Passport's authentication technology, according to Microsoft. Among them is Prudential Banking's Egg.com online bank, which is switching to Passport from an authentication system developed by Entrust Inc., according to published reports.

Besides posting it at his site, Slemko intends to release the technical details on several security mailing lists Friday "so that, if they choose, users and partners can choose to reduce the impact on themselves," he said. Because of the severity of the flaws, Slemko withheld publication until Microsoft had an opportunity to correct it.
According to Microsoft, the company has patched two bugs utilized by Slemko's exploit: an HTML filtering issue in Hotmail as well as a cross-site scripting flaw in its Passport server configurations. In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.

While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.

"Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.

Slemko is not the first to reach this conclusion. Last year, researchers at AT&T published a paper that observed that Microsoft's single sign-on service "carries significant risks to users" and warned that "Passport must be viewed with suspicion."

Microsoft subsequently fixed the bugs identified in the AT&T report and issued a response, down-playing the researchers' conclusion that Passport is inherently flawed and promising new security features in the future.

One fruit of that promise is in Microsoft's recently released Windows XP operating system, which attempts to improve the security of Passport's sign-on system by moving the authentication out of the browser and embedding it into the operating system.

Microsoft has also adopted what it calls a "federation" model for Passport that will allow other authentication vendors to create systems that interoperate with Microsoft's platform.

But critics still contend that granting Microsoft control over a massive set of personal data creates intolerable security risks.

"If history has shown us anything, it's that the best protection lies in decentralizing power and promoting competition. We need to take the same approach to our digital identities and make sure that who and what we are is not held captive by a single entity," wrote Whitfield Diffie, one of the inventors of public-key cryptography, and Susan Landau, a senior staff engineer at Sun Microsystems, in an editorial published last week.

According to Slemko, the fact that he needed just half an hour to cook up a way to exploit Passport's security flaws indicates that Microsoft is not fit to run a service with Passport's ambitions.

"It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he said.

single point of failure (4, Insightful)

Pope (17780) | more than 12 years ago | (#2514546)

MS seems to have Single Point of Failure problems in a lot of things: the Registry, any one?

Re:single point of failure (0)

Anonymous Coward | more than 12 years ago | (#2514705)

MS's "Single Point of Failure" problem is their myopic view of technology.

Re:Here is the text of the article... (0)

Anonymous Coward | more than 12 years ago | (#2514548)

-1 Redundant.

If you haven't discovered the mysteries of the web yet, let me inform you that the link (that green thing) will get the same text for you. It's a great feature, that eliminates redundancy.

How will this affect us in the wake of Sept. 11? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2514500)

Ach...sorry, reflex.

Sincerely,
Every Fucking Journalist in the U.S.

spin control (1)

Maskirovka (255712) | more than 12 years ago | (#2514501)

What happens when someone steals the basket with all your eggs?

You through a smoke screen around the area until you can fabricate some new ones. Not to be a troll or anything, but this was only a matter of time.

Maskirovka

Re:spin control (2)

b_pretender (105284) | more than 12 years ago | (#2514708)

...this was only a matter of time...

And what a little amount of time it was!!

What happens ... (1, Funny)

unformed (225214) | more than 12 years ago | (#2514502)

What happens when someone steals the basket with all your eggs?

You have nothing left for trick-or-treating with.

Re:What happens ... (1)

jayhawk88 (160512) | more than 12 years ago | (#2514609)

alternate answer: You become a non-person, unable to perform simple tasks such as apply for a job, purchase goods, or even recieve unemployment benefits. Forced out of modern society, you hitchhike across the midwest for several months, until you finally settle in southern Wyoming, where you manage to build a crude log cabin, and live off the land. Eventually, your life moves from survival to enjoyment of your new "wilderness" surroundings, and you spend the remainder of your years communing with nature in peace and tranquility.

See, Microsoft did you a favor after all!

Re:What happens ... (1)

Bat_Masterson (250306) | more than 12 years ago | (#2514694)

Alternative answer: you sell leftover chicken parts to Kentucky Fried Chicken!

Re:What happens ... (1)

lizardboy (160143) | more than 12 years ago | (#2514727)

Are you not describing the life of the unibomber?

LizardBoy

pre-paid Spam (5, Funny)

DataPath (1111) | more than 12 years ago | (#2514503)

great... the single greatest magnet for spam is also an open book to your credit cards. I can see it now: "Hot dirty sex... you've paid for it already, so you might as well cum see!"

"You've already paid the fee to get in on our bogus pyramid scheme, so now it's YOUR turn to go steal from someone else!"

Microsoft and my pregnant wife (0, Offtopic)

zaphod123 (219697) | more than 12 years ago | (#2514512)

I guess we shouldn't have used Microsoft Condom...

Re:Microsoft and my pregnant wife (-1, Flamebait)

ekrout (139379) | more than 12 years ago | (#2514519)

Funny, 'cause your wife didn't make me wear anything...sorry dude.

;-)

In 6 months .... (4, Funny)

SirSlud (67381) | more than 12 years ago | (#2514515)

> In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.

will be

> In addition, the company has modified a software timer so that Passport users must re-enter all the information associated with their passport account (including their Wallet account) anytime they attempt to access the wallet service.

Which might be shortly followed by the first time MS has ever been able to claim their technologies are relatively secure. (Yes, I'll avoid being a jerk and suggesting anyone can ever be 100% secure. :)

Re:In 6 months .... (1)

Murdock037 (469526) | more than 12 years ago | (#2514635)

Doesn't having to re-enter the information every time kind of defeat the purpose of Passport in the first place?

Maybe I'm not getting something here. A service that requires you to do everything it claims to, just to remain secure?

Very cute.

Burning Reichstag (3, Troll)

perdida (251676) | more than 12 years ago | (#2514518)

If this is Microsoft's unviersal security solution, I can';t believe they'd put out something that can be so easily cracked without knowing it.

Is it concievable that M$FT is deliberately designing holes, staging exploits and publicizing them in order to get popular support for federally controlled security systems and universal elimination of anonymity?

The anthrax could be the same thing.. government allowing it to spread, or spreading it themselves, to pressure Congress to pass the USA PATRIOT act, which they did, and to pressure us to accept strictures on our behavior?

In both cases, ask: Quo bono? In the current climate, who benefits from these activities?

Terrorists don't benefit from the anthrax, and OSS doesn't benefit from these Passport exploits. In both cases, the government benefits.

Re:Burning Reichstag (0)

Anonymous Coward | more than 12 years ago | (#2514559)

I think you took off your aluminum foil cap a bit too soon. Put it back on, please.

Re:Burning Reichstag (0)

Anonymous Coward | more than 12 years ago | (#2514566)

About the dumbest conspiracy theory I have ever seen.

Terrorists don't benefit from anthrax? Really? What are they trying to do then? Isn't it "cause terror"? Doesn't anthrax do that?

Re:Burning Reichstag (0)

Anonymous Coward | more than 12 years ago | (#2514568)

Don't worry, most civilians in the US will live to see the revolution that comes after WW3. Go ahead and buy a rifle and a shotgun now, there will be a shortage soon.

Troll! (0)

Anonymous Coward | more than 12 years ago | (#2514573)

It's an adequacy.org troll, written to capitalize on people's paranoia. Mod down.

Re:Burning Reichstag (0)

Anonymous Coward | more than 12 years ago | (#2514580)

I am FAR more scared of the moderator who moderated you as "insightful" than I will ever be of the government and/or Microsoft.

Re:Burning Reichstag (5, Insightful)

Shotgun (30919) | more than 12 years ago | (#2514586)

Good conspiracy theory, but I would have to say look at history in this case. MS is threatened. Sales revenue is in the toilet and the outlook for future sales is even bleaker. They have to come up with a strategy and implement it fast. What do they do?

What they always have done. Rush a half-finished product out the door, and use whatever leverage they have to force it on whoever they can, while keeping the engineers busy in the back room with the bubblegum and duct-tape. Eventually, they'll get around to releasing a decent product.

Course, I won't be buying it then either. 8*)

Hey that was a sane clear headed perspective (0)

Anonymous Coward | more than 12 years ago | (#2514656)

You MUST be in the wrong place....Please get with the program....If you don't have anything BAD to say about M$ please remain quiet. :)

Re:Burning Reichstag (2, Funny)

limbostar (116177) | more than 12 years ago | (#2514589)

1. Terrorists DO benefit from anthrax, because it's scaring the shit out of the nation. That's, uh, the point of terrorism.

2. Saying OSS doesn't benefit from passport exploits implies that the Open Source Software movement is responsible for the exploits. They're not. Microsoft is. And through some twisted, delusional logic you assert that Microsoft benefits from building in exploits.

It's a well-known fact that CmdrTaco is trying to make it as easy as possible for trolls to post to slashdot, because he could use them as an excuse to further crack down on Joe Poster.

Also, hospitals won't treat you if they find you have an organ donor card -- they'll let you die because other people need your organs.

Furthermore, the entire world is an intricate conspiracy designed to repress you.

LOOK OUT! THEY'RE COMING NOW!

Re:Burning Reichstag (1, Funny)

ConceptJunkie (24823) | more than 12 years ago | (#2514606)

>Quo bono?

He was the whiny-voiced guy in the mohair vest that sang with that tall gangly chick before she had a minimum 35% post-consumer recycled body.

Became a congressman and newest poster child for the Agony of Defeat(TM).

Lame (0)

Anonymous Coward | more than 12 years ago | (#2514693)

Now that was a completely obvious troll.

I'm not surprised it came from Adequacy.

Re:Burning Reichstag (1)

virtros (513852) | more than 12 years ago | (#2514723)

Let me guess what is next. We never made it to the moon...it was all just some hoax on a back sound stage of some movie theater.

To answer your question, (IMHO) no it is not conveivable that microsoft is delibrately designing holes for federally controlled security system. What would they gain by it other than yet another govt agency snooping in their buisness practices and more costs against their bottem line. At first guess i would suspect that this is just what it appears to be, a security hole associated with too much complexity, too many buisness units, too little time and too short a budget. Microsoft is a buisness....their only interest is the bottem line and getting their customers ripped off is NOT not you protect that interest.

So far as your Anthrax link? Give me a break! The government really has nothing to gain from inducing mass hysteria in the common populace. The costs from this anthrax mess will be astronomical when all is cleaned up and over (and/or vaccinated). If the goverment WANTED to get a bill ike that passed they can just pass it, or at worst let some terrorists blow something minor up and let the media take it from there. Anthrax is more threat than necessary to acheive the passing of some "security" legislation. The point of the matter is that the government benifits in neither situation.

That is the problem with conspiracy theories, generally (and i say generally so i'm not slain by the nitpickers) they have a difficult time passing even the simplist test of Occhams razor. (again for nitpickers, I'm NOT saying that Occhams razor is absolute...just that there is a reason that it exists)

Quo bono? nobody...

virtros

oh yeah. sorry for any spelling/grammer errors, i've not the time to micromanage my /. posts (should that be in my sig?

Did anyone not see this coming? (4, Insightful)

chronos2266 (514349) | more than 12 years ago | (#2514520)

I remember a year or two ago a person could send you an email and obtain your hotmail account. Hotmail is a gaping hole in the passport service.

With passport, microsoft wishes to be the customs agent of the internet. However, with flaws like this they really are not going to turn many people over to their side.

I'm sure more exploits will pop up in the future. Most of them will likely use hotmail in someway or another to enter.

more info (5, Informative)

Leper (22654) | more than 12 years ago | (#2514523)

ok, obviously my post will be rejected as this one already made it through (they rejected Marc's initial story which I guess shouldn't surprise me), but here's more linkage about where you can read about the technical details:

Marc's Passport Advisory [znep.com]

i want to go home and play civ3 (4, Troll)

smack_attack (171144) | more than 12 years ago | (#2514524)

What happens when someone steals the basket with all your eggs?

Send special forces to kill the bunny. And cluster bombs, lots of fucking cluster bombs

What happens when someone steals the basket with a (2)

dpilot (134227) | more than 12 years ago | (#2514531)

You sue them under the DMCA, future SSSCA, Anti-Terrorism Act, or the like.

A testimony to the proposition that security CAN be legislated.

(Yeah, right.)

Re:What happens when someone steals the basket wit (5, Insightful)

MaxwellStreet (148915) | more than 12 years ago | (#2514565)

Interestingly, this is exactly what will happen.

Only the discoverer of the hole will be forced to announce it anonymously, and publish it only in dark little places where the lawyerly eyes of Microsoft won't find it. And unscrupulous eyes will.

I can see it happening already. And Microsoft would not even hear of the hole until it's far, far too late. It will be a very, very dark day if information is compromised on this scale.

The DMCA in this case would directly contribute to the destruction of the integrity of the Passport system.

Simply put - if only outlaws find security holes, then only (genuine) outlaws will have access to them.

Re:What happens when someone steals the basket wit (0)

Anonymous Coward | more than 12 years ago | (#2514684)

I wonder why no one ever tries to sue Microsoft for creating a defective product. I mean, they sue Firestone for bad tires and Ford for top-heavy SUVs. What is the difference... well obviously, no one dies here but still.

Killing the messenger? (4, Interesting)

Rinikusu (28164) | more than 12 years ago | (#2514532)

Anyone remember the story with MS whining about how security people should just shut their cake-hole and not "reveal" exploits? I wonder if they'll take the same stance on this one.

"Well, it wouldn't have been too much of a problem until those meddling kids at Apache showed up..."

Re:Killing the messenger? (1)

VenTatsu (24306) | more than 12 years ago | (#2514587)

He did exactly what MS asked, "Because of the severity of the flaws, Slemko withheld publication until Microsoft had an opportunity to correct it."

Re:Killing the messenger? (1)

DataPath (1111) | more than 12 years ago | (#2514711)

That's highly unlikely since he alerted Microsoft, and waited for them to patch it before he announced it.

Well so much for single sign-on (5, Informative)

geophile (16995) | more than 12 years ago | (#2514534)

I really like this part:

In addition, the company has modified a software timer so that Passport users must re-enter their password anytime they attempt to access the wallet service.

While Slemko's exploit, which relied on stealing browser cookies used by Passport, has been rendered inoperable by Microsoft's fixes, the programmer said "deeper issues" remain with the service.

"Passport's greatest marketing strength -- the single sign-on -- is also its chief technical weakness. It will be fairly trivial for attackers to dream up new ways of exploiting this," he said.


XP Integration is evil (5, Informative)

jeeryg_flashaccess (456261) | more than 12 years ago | (#2514537)

Why? I installed XP for my dad, everything works perfectly. The OS is great. I got tired of passport starting up, so I clicked on it, cancled a few prompts, went to settings, check 'do not start up on boot', and closed the program. IT STILL STARTS UP ON BOOT. My point is that MSFT has made it very difficult to stop the damn thing from starting. Screw Passport.

Re:XP Integration is evil (5, Informative)

Phil Wherry (122138) | more than 12 years ago | (#2514643)

Passport really isn't an application on your desktop machine, but MSN Messenger (which requires Passport) is. Messenger is a really irritating application in its own right. And it's actually even more irritating if you have signed up for Passport using a Hotmail account, since it feels compelled to notify you of waiting email at Hotmail every eight microseconds--and it's essentially impossible to keep Microsoft from spamming you with "special offers" that you must know about right away.

You can, however, uninstall it!

Have a look at the file c:\windows\inf\sysoc.inf

Then change the line that reads:


msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7

to

msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7

Then go to the Control Panel, choose Add/Remove Programs, then select the "Windows components" tag. You'll note that "Windows Messenger" now appears at the bottom of the list; just remove it, and Windows/MSN Messenger will bother you no more.

Re:XP Integration is evil (1, Flamebait)

innocent_white_lamb (151825) | more than 12 years ago | (#2514722)

Yup, another example of the Windows ease-of-use. "You'll damn well accept things the way that we want to present them to you". To change that, you have to horse around with all sorts of goodies.

Change one config file in Linux/Unix and the job's done.

What was that about Linux being hard to use again? ....

Re:XP Integration is evil (0)

Anonymous Coward | more than 12 years ago | (#2514736)

Licorissss, licorissss, good, sweet licorissssss!!

:)

Public knowledge (1, Insightful)

lexcyber (133454) | more than 12 years ago | (#2514538)

I sure hope this don't stay on slashdot. It should really be public knowledge that this sort of thing can happen in the passport service that MS provide. - ASAP

New Passport Slogan... (5, Funny)

ZZane (144066) | more than 12 years ago | (#2514539)

Where did your wallet go today?

-Zane

Re:New Passport Slogan... (5, Funny)

mgblst (80109) | more than 12 years ago | (#2514638)

Linux Redhat: $59
AOL Account: $20 a month
Contribution to OSS fund: $1000

Charging it to Bill Gates Credit Card: Priceless

There are some rights money can't buy.
For everything else, there's Microsoft Passport.

It's Karma Time! (0, Troll)

ekrout (139379) | more than 12 years ago | (#2514541)

Time for me to be a bit fece^H^H^H^Hfacetious. Microsoft is an Evil Empire(TM). Their products are the joint effort of thousands of easily brain-washed students fresh out of college who decided, at the last minute, to major in computer science rather than business.

Sir, you have a phone call. . . (1)

K0R$ h4x0r ru1z (533828) | more than 12 years ago | (#2514543)

This is but one example, but. . .how many user names/pass do you think can be garnered through a simple brute force script? A third? My father does a good number of things through Sun. Check out their auth. It relies more on SAW encrypt, which in turn in certainly more solid. And yes, I have your hotmail account. . .

ha! (1)

toaster13 (36774) | more than 12 years ago | (#2514551)

Yeah so the chance that I'll ever give microsoft an important piece of information: 0. I can't wait to see how they spin this.

File suit with the FTC (5, Interesting)

dillon_rinker (17944) | more than 12 years ago | (#2514555)

Who'd like to file suit with the FTC against Microsoft for false advertising? I think we all know that there is no such thing as absolute sceiruty, or that security is a process, not a result, etc etc. But does the average non-geek American know that? For that matter, does the marketing deparment at Microsoft know that?

You can't market a product as having qualities it doesn't have without getting into trouble with the FTC. Granted, MS will try to spin this as "Those bad Linux hackers will steal your data!" The fact remains that they've lied to the American consumer. I think they need to be forced to amend their advertising.

And this will be reported by who? (5, Interesting)

cluge (114877) | more than 12 years ago | (#2514561)

Sad isn't it, here is the VERY thing all those "privacy people" keep screaming about. The thing that MS says won't happen. The idea should chill us all to the core, after all with XP released it's just a matter of time before a magority of american's will have a "passport". Will it be reported by any big news organizations? Will it make front page (it should).

In the end I guess I best move to the bahamas and start ordering lots of neat things with all these new credit card numbers that magically appeared in my hotmail account.

Re:And this will be reported by who? (1)

nion (19898) | more than 12 years ago | (#2514641)

...after all with XP released it's just a matter of time before a magority of american's will have a "passport".

Oh gods, yes. We *just* bought a laptop that will mainly be for the wife's use. Inspiron 8100, *very* nice system, XP pre-installed. Every time there is a BSOD (thing is 3 days old, had one at least once a day so far), when it comes back up it wants to do error reporting. Each time it submits an error report, it wants you to be able to track it. Tracking requires...yes, you guessed it, a .NET Passport.

As soon as I realized this, I hit cancel and 'submit error report anonymously'.

Not everyone is going to realize that this is A Bad Thing(tm), unfortunately. But with the holes that Nimda, and Code Red exploited, and now THIS in Passport, how can you give your critical information to M$ without worrying 'just a little?'

Flash! Terrorists steal US identities (1, Funny)

WillSeattle (239206) | more than 12 years ago | (#2514563)

Microsoft .Net and Passport to blame!

Bill Gates identified as culprit: "We of the Taliban shall never be defeated!" shouts the software terrorist as he is hauled off to a comfy cell.

More news as this story breaks ...

I blame open-source (-1)

Anonymous Pancake (458864) | more than 12 years ago | (#2514564)

how much you want to bet the person who did this is a linux and open-source zealot? They will do anything to bring microsoft down, just as bad as terrorists!

Karma Suicide (0, Offtopic)

istartedi (132515) | more than 12 years ago | (#2514567)

Yes folks, I'm tired. Getting modded up at 50 and getting nothing from it is such a bore. Bouncing around in the high 40s just isn't worth it anymore. In fact, you might even say I'M AS MAD AS HELL AND I'M NOT GOING TO TAKE IT ANYMORE.

That's why I'm going to blow my Karma brains out, right here on national TV, err... um... international web... err.. whatever. You get the idea.

Heck, I might even go for negative karma. I mean, VA Linux, err... um... VA Software or VA Chicken Processing or whatever business they are in this week is going to fold soon anyway. What difference does it really make? So go ahead mods, do your worst.

===========

While I'm waiting for the form submission timeout, let me tell you a little fable. Once upon a time a man heard that there was gold in seawater, but no economical way to extract it. So, he studied chemistry for years, earned a PhD and worked secretly on it in his spare time, neglecting everything including marriage, parties, and anything remotely resembling fun. One night he went out in a boat to test it. Because he forgot to move a decimal point, he didn't realize how fast it would work. He went to sleep, and overnight the electrode got so heavy that the boat sank with him, his idea, and his pathetic life on board.

The moral of the story? Well, this is /., so "Bill Gates is evil" is the moral.

Re:Karma Suicide (1, Offtopic)

smack_attack (171144) | more than 12 years ago | (#2514590)

Cool, I'll blow 3 karma points with you (42 karma). :)

What about PayPal etc.? (4, Insightful)

byronne (47527) | more than 12 years ago | (#2514571)

Maybe I'm being stupid here, but what's the diff between Passport and PayPal, and why hasn't PayPal been a crack target?

Also, I had no idea 165 MILLION people were already using Passport - I suppose my OS hasn't asked me enough times to sign up for it until I break under the strain...

Re:What about PayPal etc.? (4, Interesting)

dwlemon (11672) | more than 12 years ago | (#2514610)

There have been attempts to get PayPal user's information. Quite a while ago somebody set up a site called PayPaI.com (note the capital I) and sent out spams that linked to the site. the site looked just like PayPal with a place to type your username and password.

Technology @ Ebay (0, Redundant)

slugfro (533652) | more than 12 years ago | (#2514579)

I know most readers here aren't using hotmail but the article also mentions that the technology has also been deployed [microsoft.com] [Microsoft Press Release] on Ebay. Thought you might want to know!

Passport liability (4, Insightful)

stox (131684) | more than 12 years ago | (#2514582)

I haven't read the pasport user's agreement, but would I be incorrect in guessing that Microsoft takes no responsibility for the safety of one's personal data? We're sorry we ruined your life, but if you read the fine print you will see that we are not responsible for anything. When will Microsoft be held responsible for it's actions?

Re:Passport liability (0)

Anonymous Coward | more than 12 years ago | (#2514680)

Not until George "Bought and Paid For" Bush is booted out in the next coup.... I mean "election".

Another lesson to be learned from this (4, Insightful)

Paul Boven (211567) | more than 12 years ago | (#2514604)

This shows that your private information may not be in the best hands when entrusted to a company
like Microsoft. But there are other 'takers'. Some even with the best of intentions.

If any of them ever gets to be the one and only 'central repository', they will be subject to just this kind of attack as well. If you can't compromise the service, then hack into the user's desktop. As soon as enough people use it, it becomes a very attractive target. In a similar vein, there have been viruses that target the client end of home-banking software.

Security is enhanced by redundancy, by having several distinct systems in place, preferably as dissimilar as possible. Monoculture and monopolies always form a fertile environment for viruses and other pests.

I feel this makes the whole idea of a centralized service like Passport or any of it's competitors an extremely dangerous development.

I know... (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2514605)

What happens when someone steals the basket with all your eggs?

You get a new fucking henhouse, god damnit.

This is why... (4, Informative)

Amazing Quantum Man (458715) | more than 12 years ago | (#2514608)

I never (knowingly) allow any site to keep my CCnumber and why I always use a "temporary" CC number (for example Amex Private Payments).

New XP campaign song (0, Troll)

dbretton (242493) | more than 12 years ago | (#2514614)


Faster than the speeding light she's browsing,
Trying to remember where her wallet ran,
She's lost herself that Ebay afgan,
Waiting for the time when MS shall be as one

And I feel like I just got robbed
And I feel...

(all apologies to Madonna)

it isn't just about hotmail and passport wallet (5, Interesting)

Marc Slemko (6200) | more than 12 years ago | (#2514618)

While I make this point in my paper, I just wanted to make sure people understood:

The real risk here isn't to hotmail or passport wallet (passport wallet isn't really an integral part of passport, just another service using it for authentication). It is to all things using passport. That isn't so much right now. But if Microsoft has their way, it will be. The sample exploit used Hotmail and Passport Wallet simply because they are commonly used services.

I would also like to note that Microsoft has been quite forthcoming with details and admitting the problems and fixing them. They are very good at being reactive. We will have to see how well this works going forward.

Re:it isn't just about hotmail and passport wallet (1)

Lonath (249354) | more than 12 years ago | (#2514703)

But, ALL systems like this will have the same kinds of flaws. There is simply too much at risk to allow someone access to everything about you and all of your money based on a simple login that you use constantly. As much as I like the idea of universal logins, they should be restricted to things that don't involve any kind of money. Ever.

Reactive (1)

PineHall (206441) | more than 12 years ago | (#2514718)

They are very good at being reactive.

I wish they were more proactive!

Re:it isn't just about hotmail and passport wallet (1)

tob (7310) | more than 12 years ago | (#2514740)

> I would also like to note that Microsoft has
> been quite forthcoming with details and
> admitting the problems and fixing them.

No they have not. This afternoon (about 8 hours ago) a Microsoft spokesman said on dutch radio that it was extremely unlikely that there would ever be a security hole in Passport. If I understand correctly, Microsoft already knew about this leak at that time. Once again, they've shown themselves liars and cheaters.

What happens? (-1)

Trollificus (253741) | more than 12 years ago | (#2514621)

"What happens when someone steals the basket with all your eggs?"

You find them, and you take your basket back.
Then you shoot them in the head.

GPL -- nice but inconsistent (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2514627)

The most annoying thing about the GPL is the way people (mostly Americans) can't bring themselves
to admitting that it's a half-baked socialist ideal, because they don't even understand socialism,
let alone dare claim support for it. Nay, even communist, because RMS believes all software *must
* have this licence.

The GPL argument seems to be based on, "software has no monetary value because it can be easily co
pied". If software were an expression of an idea that only existed on non-replicable medium, it wo
uld have such value, right? Excellent. All I have to do then is to make a Star Trek Replicator (I'
m sure it will happen eventually) and, by RMS, _everything_ replicable will lose all financial val
ue.

The placement of software on a bit of media is no different than Coca Cola saying, "hey, this woul
d be a cool mix of sugar and goo!" and mixing the ingredients together into a can. Or a carpenter
saying "hm, I know how to make a more sturdy chair" and building it with his tools. Each is the se
quence idea -> implementation of idea.

I can't possibly fathom why ideas should be free. (that is to say, the mere product of man's mind)
but the expression of those ideas (say in a chair, the product of man's mind and hands) may not.
Worse, why campaign for ideas to be free, but let those who restrict their ideas (the majority of
companies) use their ideas for further restriction?

Trying to figure out an answer:

1. Expression takes more effort? No it doesn't. Thinking the ideas often takes more effort than im
plementing them, e.g. developing a new drug compared to mixing the ingredients.

2. Research into new ideas costs no money? Ha. This might explain why GNU / Linux is so uninnovati
ve, and its main role is to play catchup. Yes, Linux has some wonderful efficiences, say in the in
terrupt processing code. But there are never any *big new ideas*. Research takes much money and ti
me, the gathering of data, the use of equipment, and the use of people who have to eat and be hous
ed, etc.

3. Ideas can be copied without cost. No, someone pays for the communications medium. Usually Big B
ad Corporations, unless you wish to free the implementation of ideas too. _Cheaply_, maybe. You te
ll a man stuck in the middle of Africa, "Dammit! Just download the source! It's Free!" and he may
ask you for (food..) education in the English language, a computer and an Internet connection. Fre
e software may lower the barrier to enlightenment, but only for rich Westerners with lots of time
on their hands to learn.

Consistency please!

A flawed MS product (OMFG) (2)

Bobuhabu (468270) | more than 12 years ago | (#2514628)

"It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he said.

I'm gonna go for all of the above

Mongolian Hordes method... (1)

Anonymous Coward | more than 12 years ago | (#2514629)

Sad. Has ANYONE at Microsoft considered the odds they're up against?

The Redmond squad: A handful of programmers forced to work with an operating system that was never designed for security in the first place.

The other guys: A WORLD full of bored and tech-savvy geeks, most of whom have grown up with a nice, healthy contempt for anything Microsoft.

Guess who wins?

-- Nick

XP == (4, Funny)

dbretton (242493) | more than 12 years ago | (#2514636)

eXport Privacy

Re:XP == (0)

Anonymous Coward | more than 12 years ago | (#2514660)

Or, "Everything you always wanted in an OS, eXcept Privacy."

(Now with 10% fewer blue screens.)

Re:XP == (1)

CyanDisaster (530718) | more than 12 years ago | (#2514689)

eXPensive, eXPloited, eXcremental Product...need I go on? :)

But your honor, MS said it couldn't happen! (1)

Zergwyn (514693) | more than 12 years ago | (#2514639)

"Well you see your honor, when all those free credit card numbers appeared in my e-mail, I just assumed that they were free trial numbers like the mail said. I just KNEW that they couldn't have been ripped off from peoples' passport accounts, because Microsoft swore to me on their holy closed source code that it was -impossible-! How was I too know ordering all that expensive stuff right away wouldn't be ok..."

This isn't a bug (1)

lavaforge (245529) | more than 12 years ago | (#2514640)

It's a feature. You know that the majority of people who get a passport account only use if to sign up for pr0n sites anyway...

This just cuts out the middleman

Offline Forever (3, Interesting)

rusti999 (167057) | more than 12 years ago | (#2514647)

Comment from Passport's program manager:

the wallet service will remain offline until the company can add additional security features "to ensure that similar exploits cannot be used to compromise our user's credit card information."

What's the standard for this? Based on Microsoft's track record, a new exploit will come up regardless of how many patches are issued. No way I'm going to let them keep my personal data. Too bad the average consumer may not realize this.

Anyone ready for that negligence suit? (3, Interesting)

weez75 (34298) | more than 12 years ago | (#2514651)

While we espouse our need to breakup Microsoft we have overlooked our great need to sue for negligence and false advertising. Their products do not perform safely nor with the diligence we as consumers need. This is another case of a lack of thought and concern put into a consumer product. If Passport were a vehicle or food product, the manufacturer would have been sued for negligence.

Who should really be concerned about this? (1)

kaoshin (110328) | more than 12 years ago | (#2514658)

If my parents got thier CC# stolen from passport and some guy bought a thousand dollars in hot grits, they would dispute the charges. No biggie. If I was VISA on the other hand, I might have a different perspective.

What about the other ways your CC # can be stolen? (3, Insightful)

nvrrobx (71970) | more than 12 years ago | (#2514665)

People seem to be blowing this out of proportion, IMHO.

How often do you hand your credit card to a server at a restauraunt? A store? Over the phone to pay for something? Are you forgetting that your credit card number can easily be stolen that way? Most receipts from purchases have your credit card number on them. Do you shred / burn them to stop someone from getting your CC #?

Open a message in HOTMAIL? (1)

NerdSlayer (300907) | more than 12 years ago | (#2514667)

Are you crazy? Does here actually have a hotmail account? All I get is spam... there no possible way I'd EVER open a message in my hotmail.

Looks like I have no worries on this one...

Re:Open a message in HOTMAIL? (1)

xX_sticky_Xx (526967) | more than 12 years ago | (#2514728)

Does here actually have a hotmail account? All I get is spam

I have not 1 but 2 hotmail accounts. My main account has been active for over 2 years now and I have yet to receive one piece of spam in it. I find it funny that whenever hotmail is mentioned here everyone goes off about spam. Has it ever occurrred to you that the reason a lot of people get spam in web-based accounts (eg. hotmail, yahoo mail, etc.) is not from any flaw in the service but the fact that they pick a username with a numbered extension (eg. spammagnet_123@hotmail.com)?

What happens when someone steals the basket (0)

Anonymous Coward | more than 12 years ago | (#2514669)

What happens when someone steals the basket with all your eggs?

All your egg are belong to someone!

time on his hands (0)

Anonymous Coward | more than 12 years ago | (#2514682)

"Slemko is a founding member of the Apache Software Foundation"

Too bad he can't spend his time fixing the Windows version of Apache.

Wow (5, Interesting)

augustz (18082) | more than 12 years ago | (#2514691)

I can't beleive this actually happened. I mean, their entire .NET initiative is riding on this passport business and showing they can secure your information.

What folks need to do is hold off on publishing these exploits (as Microsoft requests) until they've got a lot more riding on it. When a couple of banks lose a couple of million bucks on this, not to mention the confidence of their customers, well, then you might get some real coverage.

Remember, Microsoft wants to build houses of straw, and likes to call anyone who points out they are made of straw terrorists. Of course, as soon as I see that attitude from someone I'm supposed to trust I run as far and as fast as I can just as I'd run from a used car salesmen who wouldn't let my mechanic check out the car.

Where do you want to go with my money today? (4, Funny)

Srsen (413456) | more than 12 years ago | (#2514713)

You will be assimilated. Resistance is fut- HEY! Who took my wallet?

Hey, C'mon now! (1)

ackthpt (218170) | more than 12 years ago | (#2514715)

Doesn't anyone remember how naughty it is to be reporting all these bugs! Be sensible and sweep them under the rug.

give 'em rotten eggs (1)

GutterBunny (153341) | more than 12 years ago | (#2514717)

What happens when someone steals the basket with all your eggs?

Perhaps one should fill their basket with rotten eggs. Such as creating false and very tracable credit card #'s that in every way look real. Set a few of these rotten egg baskets about and let the bad people have at them.


Or, I suppose you could fix the software. But that's no fun.

WWMRTD? (what would mr t do?) (4, Funny)

dbretton (242493) | more than 12 years ago | (#2514729)

What happens when someone steals the basket with all your eggs?

Eggs? What you talkin' all about eggs for? Don't give me none of that Gibber-Jabber, or you best be tossed!

You took a wallet? I don't see no crazy wallet! You're talking like Face, crazy fool!
Besides, you don't need no wallet! Just dial
1-800-COLLECT and save a buck or two.

XP? That better mean Xtra Punishment, cause that's what I'm gonna do to that Gates fool! He can't escape me, cause my van's hella fast!

Don't do drugs! Drink milk!

Come here, sucka. I'll toss you!

Perhaps this the the "killer app"... (1)

davecb (6526) | more than 12 years ago | (#2514738)

...for Linux, that is! We've had public key cryptography for a while, thanks to Dr. Diffie and friends, I wonder if it's time to prototype a real personal wallet framework around PK and get someone like Whitfield Diffie to push it as a privacy-friendly form of magic authentication. How about "if you don't have a PenguinCard we can't look you up in our Oracle database, so you can't get you on the plane".
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>