Information Security News mailing list archives
Re: Hackers Shortcut Hotmail Password Reset Protections
From: InfoSec News <isn () c4i org>
Date: Wed, 13 Feb 2002 04:13:16 -0600 (CST)
Forwarded from: Robert G. Ferrell <rferrell () texas net>
Security researchers have discovered a vulnerability in Microsoft Corp.'s Hotmail service that allows hackers to bypass security questions that users must answer before resetting their passwords.
Sorry, but if you're relying on Microsoft to provide security, you pretty much deserve what you get. Hotmail, especially, has been the subject of a long string of embarrassing and extremely glaring security glitches. But it's really only the tip of the iceberg. Jericho and I had a discussion about Microsoft's security posture over a few beers the other day, and I'm fully in agreement with his stance, which is basically that the new emphasis on secure programming is a smokescreen designed to reassure the gullible without really effecting any change in their corporate culture. They'll crowd their coders into some classrooms for a month, milk the experience for all the publicity they can, and then go back to spitting out the same feature-soaked, security-poor software they always have. But now they can slap little colored labels on it that say "security-enhanced" or some other misleading and completely bogus claims. Bill Gates is a billionaire. The reason he's a billionaire is that people buy anything and everything that Microsoft cranks out, without questioning it, in the same consumer herd mentality that's produced so many tycoons in the past. He's obviously seriously successful; why on earth would he he want to change a formula that's worked so well up to now? A few of us in the security community pissing and moaning about his crappy software won't make a scrap of difference unless John Q. Public stops buying it. We can complain until we get blue in the face and pass out, for all he cares. Caveat emptor isn't just an aphorism these days, it's a matter of survival. Cheers, RGF Robert G. Ferrell rferrell () texas net http://rferrell.home.texas.net/rgflit.html - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Hackers Shortcut Hotmail Password Reset Protections InfoSec News (Feb 12)
- <Possible follow-ups>
- Re: Hackers Shortcut Hotmail Password Reset Protections InfoSec News (Feb 13)