|
midrange.com
Microsoft's Passport is about as secure and trustworthy as an Afghani
passport !
WindowManager@bdcimail.com
2001/11/19 12:13
Please respond to WindowManagerHelp
To: Bill Gates <RichSod@US.gov>
cc:
Subject: BRIAN LIVINGSTON: "Window Manager" from InfoWorld.com,
Monday, November
19, 2001
========================================================
BRIAN LIVINGSTON: "Window Manager" InfoWorld.com
========================================================
Monday, November 19, 2001
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
MICROSOFT TIMES OUT
Posted November 16, 2001 01:01 PM Pacific Time
MICROSOFT WAS forced to temporarily suspend an
important financial service of its Passport Wallet
program for several days after a programmer showed
that he could obtain users' credit card numbers and
other personal information merely by sending them a
single e-mail message.
Marc Slemko, a Seattle developer, demonstrated that he
could retrieve all of a user's cookies and use them to
access that person's Passport information any time the
user viewed one of Slemko's messages within 15 minutes
of signing on to Hotmail (which now requires Passport).
After notifying Microsoft, and being assured that the
company was temporarily taking its Express Purchase
system offline on Nov. 1, Slemko published a white
paper on this and other severe security problems with
Passport. That paper is available at
http://alive.znep.com/~marcs/passport .
I'm glad to see that a little guy can still wield some
influence over the behavior of a software giant. The
weakness in Passport that Slemko forced Microsoft to
address was similar to, but different from, the major
problem that I warned readers about a couple of months
ago (see"Passport is cracked,"
http://www.infoworld.com/articles/op/xml/01/09/10/010910oplivingston.xml
).
That problem, which still exists, is that Windows 95,
98, and Windows Me leave a user's ID and password
visible in memory, where any rogue e-mail or Trojan
horse can retrieve it during a user's dial-up
connection to an ISP and for 10 minutes afterward. In
Slemko's case, the 15-minute vulnerability was due to
a cache on Microsoft's Passport Web server.
Microsoft reduced the Passport server timeout and
placed Express Purchase back online on Nov. 3. The
company said in a statement that the vulnerability
would not have affected users running the new Windows
XP operating system.
But Microsoft didn't wait until customers had XP before
requiring millions of Hotmail subscribers to use
Passport to log on. There are hundreds of millions of
vulnerable PCs out there and Microsoft now requires
that Passport be the only way to access an increasing
number of services.
In an e-mail interview, Slemko stressed that the
specific hole he demonstrated isn't the point. "The
issues I raised apply to the use of Passport in
general, and become more and more important with every
new site that uses Passport," he said.
"Passport is lacking in features that are necessary to
protect the security and privacy of users with the
sites deployed using it today, let alone the even
higher level required if Passport is to be deployed in
the pervasive way that Microsoft envisions," Slemko
added. "Some of the flaws I came across are such
trivial implementation flaws that you have to question
Microsoft's commitment."
In other words, reducing a server timeout in no way
solves the larger problem. There's more going on. I'd
be interested to hear your findings, too.
Brian Livingston's latest book is Windows Me Secrets.
Send tips to tips@brianlivingston.com. Go to
http://www.iwsubscribe.com/newsletters to get Window
Manager and E-Business Secrets free each week via e-mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
MORE WINDOW MANAGER
For a complete archive of his InfoWorld columns visit
http://www2.infoworld.com/cgi/component/columnarchive.wbs?column=window
INFOWORLD OPINIONS
Weekly commentary from the most trusted voices in
IT at: http://www.infoworld.com/community/t_opinions.html
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
To join, or start, a discussion on this or any IT-related
topic, please visit our InfoWorld forums at
http://forums.infoworld.com. Here you can interact and
exchange ideas with InfoWorld staff and other readers.
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
QUOTE OF THE DAY:
"What are Microsoft's sales projections for pervasive
Internet appliances? What do you think the total size of
the market is given that many people never learned to
program their VCR's before they were replaced with
DVDs?"
--Question from a participant in InfoWorld's live online
forum with Keith White, senior director of Microsoft's
embedded and appliance platform group.
Read what White has to say -- and more -- at:
http://www.infoworld.com/forums/embedMS?1119mnlv
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
SUBSCRIBE
To subscribe to any of InfoWorld's e-mail newsletters,
tell your friends and colleagues to go to:
http://www.iwsubscribe.com/newsletters/
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Prepare for MCSE Core and Elective Exams.
Learn everything from Exchange Server 5.5 to SQL
Server 7 to Windows 2000.
Sign up now for the MCSE Certification Training package at
http://webtraining.infoworld.com?tc=1119monwinmgrh
Package: MCSE Training
Cost:$110.00, # of Courses: 100+, Subscription: One Year
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Copyright 2001 InfoWorld Media Group Inc.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
