The trouble with Hotmail

[InfoSec News <isn () c4i org>]

http://www.salon.com/tech/feature/2001/08/21/hotmail/print.html

[No mention of this weekend's troubles with Hotmail, but still an
interesting read.  - WK]


By Damien Cave
Aug. 21, 2001 

At first, Dave Miller didn't mind when Hotmail started treating him
like a child. The 33-year-old software engineer had been using the
Web-based e-mail service since 1995 -- two years before Microsoft
purchased it -- and he'd grown accustomed to the outages and quirky
malfunctions that occasionally afflicted his account.

It did seem a little bit odd that Hotmail would only allow him access
to his e-mail after a "parent" logged in from another account and gave
Miller permission, but he figured that the glitch was probably due to
a recent redesign. He used another Hotmail account to approve his own
attempt to get his own e-mail, and expected the Hotmail hiccup to be
fixed in a matter of days.

But the problem persisted. Eventually Miller figured it out: In late
July he had signed his daughter up for a children's version of Hotmail
and Microsoft's Instant Messenger service; in the process, which he
calls "inconsistent and confusing," he inadvertently kiddie-sized his
own account.

"I set my birthday to hers -- June 29, 1996," he says.

Miller immediately shot an e-mail to Hotmail tech support, assuming
that a representative could easily fix his "Passport," the log-in
template that stores personal information for users of Hotmail and
other Microsoft services.

Yet Microsoft told Miller his account couldn't be fixed. "I'm sorry to
say this," came the reply from Redmond, "but we cannot change a
child's account to a 'Regular adult/full' Passport account when you
already gave consent to it."

No reasons were offered, technical or policy-based. The e-mail merely
encouraged Miller to keep going through the convoluted process of
giving himself permission "by using another parent account."

Miller, a software quality assurance expert, could hardly believe what
he was reading. Microsoft's inability to simply change the age, or
even delete and re-create the account, seemed ridiculous. Though
perhaps not quite life-threatening in importance, to Miller the
incident bore a significance that extended beyond your average
software nuisance. If Microsoft's engineers couldn't fix an apparently
minor problem with Hotmail, how much confidence should Net users place
in Microsoft's much more ambitious plans -- with its much ballyhooed
.NET initiative and HailStorm -- to absorb their online lives?

"These kinds of problems are indicative of slipshod design," he says.
"They certainly say something disturbing about the entire .NET
initiative."

Microsoft's .NET plan, which some observers see as part of a
comprehensive strategy to battle AOL Time Warner for mastery of the
online universe, is built on the premise that users will allow the
consolidation of their personal information on centralized Microsoft
server computers. The payoff is supposed to be "seamless" access to a
vast array of online services. But to critics, the consolidation of
e-mail, instant messaging and other goodies in the hands of Microsoft
-- beyond, obviously, sounding antitrust alarms -- would make everyone
more dependent on Microsoft's software infrastructure. And that
infrastructure is already prone to virus attacks and other weaknesses
that the rest of the Net has so far managed to evolve strong defenses
against.

Microsoft representatives argue, in return, that Hotmail still works
better than other Web-based e-mail services. Defenders of the company
suggest that Hotmail's growing pains offer valuable lessons for
Microsoft that will actually help .NET succeed.

But Dave Miller's Hotmail woes are hardly unique. In 1998, news
traveled quickly around the Web of a method to steal Hotmail
passwords; a year later, Microsoft paralyzed the service by forgetting
to reregister the Passport.com domain name.

Meanwhile, outages have become commonplace, almost every-month
occurrences -- and not just for Hotmail. Microsoft's Instant Messenger
service -- which also uses Passport -- suffered a 10-day outage
earlier this summer, and in late July, millions of users lost Hotmail
access for several days after Hotmail's Windows NT servers were
infected by the Code Red virus -- a problem that primarily affected
Microsoft NT servers, and not computers running Linux-based or Unix
operating systems or the Apache Web server program.

Microsoft's goal of becoming a one-stop shop for the entire Net is no
secret. But is such a place, to paraphrase the company's own
ubiquitous advertising slogan, really where we want to go today, let
alone tomorrow?

Many of Hotmail's problems can be blamed on sheer size. When Microsoft
bought Hotmail in 1997 for $400 million, the service claimed it had
about 9 million users. Over the past four years, that number has
jumped to 110 million, according to Microsoft.

Scaling up is always a problem for Internet applications, but
Web-based e-mail is especially hard to manage, says Lawrence Hughes,
author of "Internet E-Mail: Protocols, Standards and Implementation."

It's "extremely difficult to get right," Hughes says, because the
service tends to be a bandwidth hog. Whereas desktop-based e-mail
programs use only a few kilobytes to transfer mail, Web-based e-mail
demands more, sometimes as much as a megabyte per user.

"This can drastically limit the scalability of the application, even
on one-GB [gigabyte] servers," Hughes says.

Maintaining complete locked-down control is also particularly hard for
Web-based e-mail because log-in processing doesn't take place on the
PC, but rather on the server, so there's more of an opportunity for
malicious crackers to intercept the data. The widespread use of
JavaScript pop-ups adds another window of vulnerability. Indeed, the
folks who made it possible to steal Hotmail passwords took advantage
of both problems: They created a pop-up that requested Hotmail log-ins
and passwords, so when some unsuspecting user typed in the
confidential information -- thinking the page came from Microsoft --
it was sent directly to the thieves.

The lack of Web browser standardization also causes problems:
Designers can't completely control the look and feel of a Web site in
the way that the makers of Eudora, or Microsoft's own Outlook, can
control their user interfaces. Such quirks also make it easy to
introduce bugs or glitches.

"It is unbelievably challenging to run and manage an online service of
[Hotmail's] scope, regardless of who you are," says Ray Ozzie, creator
of Lotus Notes and the founder of Groove Networks, a peer-to-peer
software company. "NASDAQ has had their share of highly visible
problems recently, eBay and AOL have had their share over the years
and so on."

And instead of hurting Microsoft, Ozzie argues, Hotmail's outages,
security problems and minor troubles may actually improve the
company's chances of making .NET work. Solutions can be applied to
more ambitious plans, "increas[ing] the probability that they'll be
able to manage the more strategically important services such as
HailStorm when they indeed need to roll them out," he says.

Ozzie, however, is hardly an objective pundit; although a
nondisclosure agreement prevents him from revealing the details, he's
working with Microsoft's Hailstorm team on yet-to-be-announced
services.

And even if the Hotmail development process can be regarded as a
training-wheels approach to .NET, that still may not be enough to
ensure success, say critics.

"Is sitting in a wading pool good training for the Olympic high dive?"
asks Miller. "You might learn some basics like, 'Don't breathe when
your head is underwater,' but you're never going to pick up the
technique until you buckle down and do it right."

Ultimately, according to Miller and other critics, there's only one
way for Microsoft to make .NET a success -- by radically changing the
company's corporate culture. It all starts with security.

.NET is more fragile than the average Microsoft initiative because
every service will be attached to a centralized network rather than a
stand-alone PC; a problem for one could be a problem for all. So in
order to remove the risk of a complete meltdown -- in order to obtain
the steady reliability people have come to expect from desktop
software systems -- Microsoft needs to make security more of a
priority.

It won't be easy. Microsoft has continually "sacrificed security for
default features," says Roger Grimes, author of "Malicious Mobile
Code: Virus Protection for Windows." Outlook, for example, contains an
auto-send feature that's useful but is also regularly exploited to
spread viruses. Windows NT's basic default installation is also
problematic, says Grimes, giving every connected user unfettered
access -- an open-door practice that drives security experts up the
wall. (Other examples abound; Grimes says that Microsoft has chosen
functionality over security in at least 19 cases.)

Microsoft maintains that both security and functionality goals are
attainable. "Microsoft operates some of the largest Web services in
the world, and we are very focused on making sure that customers can
count on a secure, safe experience with those properties," says Adam
Sohn, product manager for the .NET platform strategy group. "HailStorm
and .NET are built from the ground up with these tenets in mind, and
were architected as Internet-native technologies with robust
infrastructure for security, authentication and privacy."

Sohn's jargon mastery is impressive, but does not sway Microsoft's
more ardent gadflies. "The needs of a commercial software enterprise
such as Microsoft" -- the need to create new products that bring in
revenue -- "are fundamentally at odds with the growing need for
software stability," counters Steve Gibson, founder of Gibson Research
Corporation, a security firm. Take, for example, Microsoft's typical
response to a security breach. The company posts a software fix or
patch on its Web site, and expects users to download it and apply it
themselves. Users bear the brunt of responsibility for ensuring their
own safety. Does such a strategy mesh with the setting up of a system
that will require users to trust Microsoft even more than they
currently do?

"I have spoken with many system administrators whose voices are never
heard," says Gibson. "They lament that this 'security model' is
bass-ackwards and that an unreasonable level of vigilance is being
required of them."

"The fact that Microsoft's own Hotmail service -- as well as one or
more Windows Update servers before that -- were unpatched [when Code
Red hit] demonstrates the problem with the current approach," Gibson
says.

Microsoft should spend more time and effort plugging holes before a
product is released, says Gibson. Or it could go one step further --
and start embracing solutions that already work and are currently in
favor with experienced Net users.

More than 50 percent of publicly accessible Web servers, for example,
employ the Apache Web server program on top of Linux-based or Unix
operating systems. Such software isn't chosen simply because much of
it is free or "open source" (meaning that the underlying software code
is publicly available) -- it's also widely considered to be more
stable. Stability, rather than revenue growth, is often the primary
goal of the programmers who are constantly improving such software.

As a result, says Chris Coleman, open-source editor at O'Reilly &
Associates, a computer books publisher, "There aren't any worms for
Apache. You just don't see these kinds of [Code Red] problems."

Hotmail actually started out with substantial open-source roots. When
Microsoft bought the service, Hotmail made heavy use of portions of
the FreeBSD operating system, along with Solaris, a proprietary Unix
system developed by Sun Microsystems. Three years later, Microsoft
moved Hotmail to servers running Windows. Executives argued that
Microsoft software would do a better job, but if the company had kept
the older software, Code Red would never have had a chance to take
Hotmail down.

Few observers believe that there is any chance that Microsoft will
base .NET on open-source software -- in fact, many believe exactly the
opposite, that .NET is in part a strategy designed to force the rest
of the Net to wean itself away from free software. But in June the
Wall Street Journal reported that Microsoft -- despite previous claims
-- was still using open-source software for some Hotmail purposes.

Even if Microsoft did take some basic steps, tightening default
security sessions and overcoming its reluctance to depend on software
popular with the rest of the Net, there are still other concerns to be
addressed.

Microsoft maintains that .NET is "fully redundant as well as
geographically distributed to ensure availability" -- in other words,
it's not supposed to crash. But the entire strategy is predicated on
returning to exactly the kind of centralized system -- with Microsoft
and its products at the hub -- that the Internet was supposed to
supplant.

There are some obvious benefits to this approach. Having a "Passport"
with your credit card information and address and other personal
information may well make it easier to shop online. But it also sets
up .NET as the ideal target for the seamier elements of the Net --
marketers who want your personal data, and thieves eager for access to
your credit card.

"Individuals and businesses really have to carefully assess the
tradeoffs in relying upon a single point of vulnerability for things
that matter to them," says Ozzie of Groove Networks. "There are real
tradeoffs -- privacy, security, availability, cost -- that we should
all be thinking about with respect to placing data and applications at
the 'edge' vs. the 'center' of the network. Neither is the 'right'
answer for all situations."

For .NET to work, argues longtime Hotmail user Dan Yurman, "all online
providers of goods and services or content are going to have to
address the issue of consumer confidence." Microsoft's own recent
troubles, such as the 10-day outage of its Instant Messenger service
this summer, "was not a confidence builder toward that goal," he says.

Dave Miller, despite his criticisms, isn't positive that the outages
and glitches will damn .NET to failure. He says he believes Microsoft
has actually done a decent job of keeping Hotmail afloat. It's the
little things that put him on edge: the idea that Microsoft is
embarking on a major technological paradigm shift without knowing how
to fix minor bugs. Maybe he just wants to be recognized as an adult
when he signs onto Hotmail; maybe he just wants better customer
service. But Miller's anger has yet to subside. He figures it's
Microsoft that needs to grow up.

"When it comes to handling my personal information and money, I expect
the handlers to have put some serious effort into planning for the
contingencies," Miller says. .NET still might work, he says, but
"don't expect it to be painless."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.