Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hackers Shortcut Hotmail Password Reset Protections

From: InfoSec News <isn () c4i org>
Date: Wed, 13 Feb 2002 04:13:16 -0600 (CST)
Forwarded from: Robert G. Ferrell <rferrell () texas net>


Security researchers have discovered a vulnerability in Microsoft
Corp.'s Hotmail service that allows hackers to bypass security
questions that users must answer before resetting their passwords.


Sorry, but if you're relying on Microsoft to provide security, you
pretty much deserve what you get.  Hotmail, especially, has been the
subject of a long string of embarrassing and extremely glaring
security glitches.  But it's really only the tip of the iceberg.

Jericho and I had a discussion about Microsoft's security posture over
a few beers the other day, and I'm fully in agreement with his stance,
which is basically that the new emphasis on secure programming is a
smokescreen designed to reassure the gullible without really effecting
any change in their corporate culture.  They'll crowd their coders
into some classrooms for a month, milk the experience for all the
publicity they can, and then go back to spitting out the same
feature-soaked, security-poor software they always have.  But now they
can slap little colored labels on it that say "security-enhanced" or
some other misleading and completely bogus claims.

Bill Gates is a billionaire.  The reason he's a billionaire is that
people buy anything and everything that Microsoft cranks out, without
questioning it, in the same consumer herd mentality that's produced so
many tycoons in the past.  He's obviously seriously successful; why on
earth would he he want to change a formula that's worked so well up to
now?  A few of us in the security community pissing and moaning about
his crappy software won't make a scrap of difference unless John Q.
Public stops buying it. We can complain until we get blue in the face
and pass out, for all he cares.

Caveat emptor isn't just an aphorism these days, it's a matter of
survival.

Cheers,

RGF

Robert G. Ferrell
rferrell () texas net
http://rferrell.home.texas.net/rgflit.html 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: