Thread Tools
Old May 9, 2003, 23:28   #1
Promethus
Settler
 
Promethus's Avatar
 
Local Time: 20:09
Local Date: November 1, 2010
Join Date: Jan 2002
Location: Battle Creek, Michigan
Posts: 23
Microsoft Admits Passport Security Flaw
Microsoft Admits Passport Security Flaw
By THE ASSOCIATED PRESS


Filed at 6:41 p.m. ET

WASHINGTON (AP) -- Microsoft acknowledged a security flaw Thursday in its popular Internet Passport service that left 200 million consumer accounts vulnerable to hackers and thieves -- an admission that could expose the company to a hefty fine from U.S. regulators.

Microsoft said it fixed the problem early Thursday, after a Pakistani computer researcher disclosed details of it on the Internet. Product Manager Adam Sohn said the company locked out all accounts it believed had been altered using the flaw. He declined to say how many people were affected but said it was a small number.

Several security experts said they had successfully tested the procedure overnight. Sohn said the flaw had apparently existed since at least September 2002, but Microsoft investigators have found no evidence anyone tried to use the technique to seize a Passport account before last month.

Passport promises consumers a single, convenient method for identifying themselves across different Web sites and encourages purchases online of movies, music, travel and banking services.

Closely tied to Microsoft's flagship Windows XP software, Passport also controls access for Windows users to the free Hotmail service and instant-messaging accounts.

The incident was yet another embarrassing lapse for Microsoft and could result in sanctions by the Federal Trade Commission and even a staggering fine. The episode occurs in the midst of Microsoft's ``trustworthy computing initiative'' to improve security for all its software products and services.

Under a settlement last summer, the government accused Microsoft of deceptive claims about Passport's security. In response, the company pledged to take reasonable safeguards to protect those accounts, submit to audits every two years for the next 20 years or risk fines up to $11,000 per violation.

Microsoft declined to say Thursday whether it had contacted the FTC. The agency's assistant director for financial practices, Jessica Rich, said any follow-up investigation would be conducted privately, but she added, ``We routinely look into issues that may bear on compliance with our orders.''

Sanctions or fines could be calculated various ways under federal laws, but Rich confirmed that each Passport account that was vulnerable could constitute a separate violation.

``If we were to find that they didn't take reasonable safeguards to protect the information, that could be an order violation,'' Rich said.

Theoretically, that would set the maximum fine at $2.2 trillion -- although experts said any fine would be significantly lower. The highest civil penalty previously assessed by the FTC was $4.05 million, against Mazda Motor Corp. in 1999. Sanctions imposed by the FTC will depend on technical details of the flaw and the adequacy Microsoft's response over the next few days to prevent any recurrence.

``An important factor is, when does the company tell them about it? What does the company do about it?'' said Jodie Bernstein, former director of the agency's bureau of consumer protection. ``They have discretion. They can consider what has the company done to make sure this doesn't happen again.''

The Pakistani researcher, Muhammad Faisal Rauf Danka, determined that by typing a specific Web address that included the phrase ``emailpwdreset,'' he could seize any Passport account. He said he sent 10 e-mails to Microsoft explaining his findings but never received a response. Sohn said the company was investigating how it might have missed those reports.

Danka said he discovered the flaw after unknown hackers repeatedly hijacked Passport accounts belonging to him and a friend. He said he found the problem on Microsoft Web's site that controls Passport accounts about four minutes after he began searching in earnest.

``It was so simple to do it. It shouldn't have been so simple,'' Danka told The Associated Press in a telephone interview from Karachi. ``Anyone could have done this.''

Microsoft should have been rejecting such transmissions from anywhere outside the company's own network, Sohn acknowledged. Microsoft shut down the affected Web address late Wednesday night, just over one hour after details were published on the Internet. Those filters were permanently set in place early Thursday, Sohn said.

``We didn't validate the input,'' Sohn said. ``We allowed somebody external to do something only the system itself should be doing. Somebody plumbed around ... and figured out they could do this.''
__________________
The ways of Man are passing strange, he buys his freedom and he counts his change.
Then he lets the wind his days arrange and he calls the tide his master.
Promethus is offline  
Old May 9, 2003, 23:57   #2
Agathon
Mac
Emperor
 
Agathon's Avatar
 
Local Time: 10:09
Local Date: November 2, 2010
Join Date: Dec 2002
Location: Wal supports the CPA
Posts: 3,948
That's nothing. The hard part would be getting Asher to admit a Microsoft security flaw.
__________________
Only feebs vote.
Agathon is offline  
Old May 9, 2003, 23:59   #3
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 19:09
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
I don't see the point of this thread.

Security flaw found, MS engineers worked overnight and fixed it by morning.

What they also don't mention in the article is the guy sent e-mails to MS departments completely unrelated to software security.

Oh the humanity.

Quote:
Originally posted by Agathon
That's nothing. The hard part would be getting Asher to admit a Microsoft security flaw.
Words cannot describe the stupidity of that post.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old May 10, 2003, 00:04   #4
Promethus
Settler
 
Promethus's Avatar
 
Local Time: 20:09
Local Date: November 1, 2010
Join Date: Jan 2002
Location: Battle Creek, Michigan
Posts: 23
Asher

You can only say this was not a problem because the hackers who found it were stupid and the researcher who reported it was honerable.

Quote:

Danka said he discovered the flaw after unknown hackers repeatedly hijacked Passport accounts belonging to him and a friend. He said he found the problem on Microsoft Web's site that controls Passport accounts about four minutes after he began searching in earnest.

EDIT: Typo's
__________________
The ways of Man are passing strange, he buys his freedom and he counts his change.
Then he lets the wind his days arrange and he calls the tide his master.
Promethus is offline  
Old May 10, 2003, 00:06   #5
Agathon
Mac
Emperor
 
Agathon's Avatar
 
Local Time: 10:09
Local Date: November 2, 2010
Join Date: Dec 2002
Location: Wal supports the CPA
Posts: 3,948
Quote:
Originally posted by Asher
I don't see the point of this thread.

Security flaw found, MS engineers worked overnight and fixed it by morning.

What they also don't mention in the article is the guy sent e-mails to MS departments completely unrelated to software security.

Oh the humanity.


Here he is, still marching stiffly to the Redmond drum. Did any God in the history of fanaticism ever have such a blindly faithful worshipper as Gates has Asher?

I think not....
__________________
Only feebs vote.
Agathon is offline  
Old May 10, 2003, 00:06   #6
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 19:09
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Quote:
Originally posted by Promethus
Asher

You can only say this was not a problem because the hackers who found it were stupidm and the reasearcher who reported it was honerable.
Honourable? Maybe, but he was rather stupid himself.

There are official channels for this kind of information, mass-mailing them to stuff like pr@microsoft.com doesn't get you anywhere.

MS found out about it from a C|Net story on it, which the "honourable" hacker leaked to the public so anyone could exploit it.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old May 10, 2003, 00:08   #7
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 19:09
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Quote:
Originally posted by Agathon


Here he is, still marching stiffly to the Redmond drum. Did any God in the history of fanaticism ever have such a blindly faithful worshipper as Gates has Asher?

I think not....
You wanna contribute, contribute.

If I was a mod I'd crack down on people like you hijacking threads with irrelevant ad hominem trolls.

Grow up.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old May 10, 2003, 00:10   #8
Agathon
Mac
Emperor
 
Agathon's Avatar
 
Local Time: 10:09
Local Date: November 2, 2010
Join Date: Dec 2002
Location: Wal supports the CPA
Posts: 3,948
Quote:
Originally posted by Asher

If I was a mod I'd crack down on people like you hijacking threads with irrelevant ad hominem trolls.
Awwwww, poor little rich gay fascist boy.
__________________
Only feebs vote.
Agathon is offline  
Old May 10, 2003, 00:11   #9
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 19:09
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
http://news.com.com/2100-1002-1000429.html?tag=nl

Quote:
However, he didn't send an e-mail to Microsoft's standard security contact point, secure@microsoft.com.
So, moral of the story:
Hacker reports the bug to irrelevant MS departments, publishes them online for everyone to exploit, anti-MS zealots around the world laugh it up because "he contacted MS and they didn't fix it until it was published" (probably because he 1) didn't allow enough time for employees to forward the message seeing as it was 8pm, 2) didn't send it to the 24/7-watched secure@microsoft.com address).

And regardless, MS worked overnight to fix it the moment the security teams found out about it.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old May 10, 2003, 00:16   #10
Skanky Burns
Alpha Centauri Democracy GameACDG The Cybernetic ConsciousnessC4DG Team Alpha CentauriansApolytoners Hall of FameACDG3 Spartans
 
Skanky Burns's Avatar
 
Local Time: 12:09
Local Date: November 2, 2010
Join Date: Aug 2001
Location: Skanky Father
Posts: 16,530
Quote:
Originally posted by Agathon
Awwwww, poor little rich gay fascist boy.
With the intelligence level you routinely display, your posts simply aren't worth reading.

Welcome to my ignore list.
__________________
I'm building a wagon! On some other part of the internets, obviously (but not that other site).
Skanky Burns is offline  
Old May 10, 2003, 00:17   #11
Agathon
Mac
Emperor
 
Agathon's Avatar
 
Local Time: 10:09
Local Date: November 2, 2010
Join Date: Dec 2002
Location: Wal supports the CPA
Posts: 3,948
Quote:
Originally posted by Skanky Burns

With the intelligence level you routinely display, your posts simply aren't worth reading.

Welcome to my ignore list.
A badge of honour.
__________________
Only feebs vote.
Agathon is offline  
Old May 10, 2003, 00:18   #12
Boris Godunov
Civilization II MultiplayerApolytoners Hall of FameCivilization IV: Multiplayer
Emperor
 
Boris Godunov's Avatar
 
Local Time: 18:09
Local Date: November 1, 2010
Join Date: Aug 2001
Location: Portland, OR
Posts: 4,412
Quote:
Originally posted by Agathon
Awwwww, poor little rich gay fascist boy.
Well, that about confirms it--you're a shithead.
__________________
Tutto nel mondo è burla
Boris Godunov is offline  
Old May 10, 2003, 00:28   #13
Imran Siddiqui
staff
Apolytoners Hall of FameAge of Nations TeamPolyCast Team
 
Imran Siddiqui's Avatar
 
Local Time: 21:09
Local Date: November 1, 2010
Join Date: Dec 1969
Location: on the corner of Peachtree and Peachtree
Posts: 30,698
It took you this long, Boris?
__________________
“I give you a new commandment, that you love one another. Just as I have loved you, you also should love one another. By this everyone will know that you are my disciples, if you have love for one another.”
- John 13:34-35 (NRSV)
Imran Siddiqui is offline  
Old May 10, 2003, 00:33   #14
Boris Godunov
Civilization II MultiplayerApolytoners Hall of FameCivilization IV: Multiplayer
Emperor
 
Boris Godunov's Avatar
 
Local Time: 18:09
Local Date: November 1, 2010
Join Date: Aug 2001
Location: Portland, OR
Posts: 4,412
Quote:
Originally posted by Imran Siddiqui
It took you this long, Boris?
He graduated up from *******.
__________________
Tutto nel mondo è burla
Boris Godunov is offline  
Old May 10, 2003, 00:34   #15
Imran Siddiqui
staff
Apolytoners Hall of FameAge of Nations TeamPolyCast Team
 
Imran Siddiqui's Avatar
 
Local Time: 21:09
Local Date: November 1, 2010
Join Date: Dec 1969
Location: on the corner of Peachtree and Peachtree
Posts: 30,698


Or do you rather mean graduated down?
__________________
“I give you a new commandment, that you love one another. Just as I have loved you, you also should love one another. By this everyone will know that you are my disciples, if you have love for one another.”
- John 13:34-35 (NRSV)
Imran Siddiqui is offline  
Old May 10, 2003, 00:39   #16
Boris Godunov
Civilization II MultiplayerApolytoners Hall of FameCivilization IV: Multiplayer
Emperor
 
Boris Godunov's Avatar
 
Local Time: 18:09
Local Date: November 1, 2010
Join Date: Aug 2001
Location: Portland, OR
Posts: 4,412
Upgrade. From @sshole ME to shithead XP.
__________________
Tutto nel mondo è burla
Boris Godunov is offline  
Old May 10, 2003, 00:45   #17
MRT144
inmate
DiploGames
King
 
MRT144's Avatar
 
Local Time: 18:09
Local Date: November 1, 2010
Join Date: Oct 2002
Location: Seattle Washington
Posts: 2,954
agathon is officially worthless.
__________________
"I hope I get to punch you in the face one day" - MRT144, Imran Siddiqui
'I'm fairly certain that a ban on me punching you in the face is not a "right" worth respecting." - loinburger
MRT144 is offline  
Old May 10, 2003, 01:28   #18
faded glory
Civilization II Multiplayer
King
 
faded glory's Avatar
 
Local Time: 01:09
Local Date: November 2, 2010
Join Date: Jan 2001
Location: Fascist party of apolyton.
Posts: 1,405
lol

figures.

Anyway Im gonna start a windows company. Gonna call it Mikrosoft Windows. Were gonna make REAL windows for houses, the locks will be rigged to break after a couple days ensuring away in for robbers!
faded glory is offline  
Old May 10, 2003, 01:31   #19
faded glory
Civilization II Multiplayer
King
 
faded glory's Avatar
 
Local Time: 01:09
Local Date: November 2, 2010
Join Date: Jan 2001
Location: Fascist party of apolyton.
Posts: 1,405
No im not anti-microsoft. Hardly, considering the alternatives with Linux, but linux isnt too bad for something free download.

My biggest gripe? WINE emulator only works half the $@^@! time
faded glory is offline  
Old May 10, 2003, 01:32   #20
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 19:09
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
WINE Is Not an Emulator.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old May 10, 2003, 01:35   #21
Agathon
Mac
Emperor
 
Agathon's Avatar
 
Local Time: 10:09
Local Date: November 2, 2010
Join Date: Dec 2002
Location: Wal supports the CPA
Posts: 3,948
Quote:
Originally posted by Boris Godunov

Well, that about confirms it--you're a shithead.
Boo hoo. I'm so sad....

So it's OK for Asher to do things like accuse me of necrophilia, but not OK for him to take a bit now and then. Face it, Boris, your politics continually get in the way of rationality.

Pathetic...
__________________
Only feebs vote.
Agathon is offline  
Old May 10, 2003, 01:37   #22
faded glory
Civilization II Multiplayer
King
 
faded glory's Avatar
 
Local Time: 01:09
Local Date: November 2, 2010
Join Date: Jan 2001
Location: Fascist party of apolyton.
Posts: 1,405
$^@! Same friggin thing.uses system DLLs ported to unix

I think you know what i meant
faded glory is offline  
Old May 10, 2003, 01:39   #23
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 19:09
Local Date: November 1, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Quote:
Originally posted by Agathon
Boo hoo. I'm so sad....

So it's OK for Asher to do things like accuse me of necrophilia, but not OK for him to take a bit now and then. Face it, Boris, your politics continually get in the way of rationality.

Pathetic...
Someone should also explain to you the concept of a thread. Using my cheeky implication months ago in another thread that some people (in general) were necropheliacs (I can't even remember the situation it was), is a completely separate thread from this one and certainly doesn't warrant your random insults even before I posted in here.

Take your comments somewhere where they're appreciated.

Or at least be a man and apologize.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old May 10, 2003, 01:41   #24
faded glory
Civilization II Multiplayer
King
 
faded glory's Avatar
 
Local Time: 01:09
Local Date: November 2, 2010
Join Date: Jan 2001
Location: Fascist party of apolyton.
Posts: 1,405
lol
faded glory is offline  
Old May 10, 2003, 01:45   #25
faded glory
Civilization II Multiplayer
King
 
faded glory's Avatar
 
Local Time: 01:09
Local Date: November 2, 2010
Join Date: Jan 2001
Location: Fascist party of apolyton.
Posts: 1,405
I understand WINE is still under dev and all since 3.1 Most newer win32apps wont work unix platforms. But alot of other stuff has a big Database to get what you need. Half the time it wouldnt work anyway.
faded glory is offline  
Old May 10, 2003, 01:51   #26
LoneWolf
Settler
 
Local Time: 19:09
Local Date: November 1, 2010
Join Date: Feb 2001
Posts: 24
Well if Microsoft's Passport security is no worse than that of the French, I guess we should be thankful.
LoneWolf is offline  
Old May 10, 2003, 01:51   #27
faded glory
Civilization II Multiplayer
King
 
faded glory's Avatar
 
Local Time: 01:09
Local Date: November 2, 2010
Join Date: Jan 2001
Location: Fascist party of apolyton.
Posts: 1,405
I think most winapp's are too dependant on DirX to be ported to linux distro's anyway. WineX is ok i guess but it isnt GNU its GNU LGPL

Last edited by faded glory; May 10, 2003 at 02:04.
faded glory is offline  
Old May 10, 2003, 01:52   #28
faded glory
Civilization II Multiplayer
King
 
faded glory's Avatar
 
Local Time: 01:09
Local Date: November 2, 2010
Join Date: Jan 2001
Location: Fascist party of apolyton.
Posts: 1,405
OMFG IM TALKING ABOUT LINUX!!!!!!!
faded glory is offline  
Old May 10, 2003, 01:59   #29
MichaeltheGreat
Apolytoners Hall of Fame
Apolyton Grand Executioner
 
MichaeltheGreat's Avatar
 
Local Time: 17:09
Local Date: November 1, 2010
Join Date: Oct 1999
Location: Fenway Pahk
Posts: 1,755
Quote:
Originally posted by Asher
If I was a mod I'd crack down on people like you hijacking threads with irrelevant ad hominem trolls.
If I did that, 90% of the OT posters would be gone.

However, looking at the last few posts in this thread, I can see I might have to bust a few heads. I've been falling behind Ming anyway.
__________________
Bush-Cheney 2008. What's another amendment between friends?
*******
When all else fails, blame brown people. | Hire a teen, while they still know it all.
MichaeltheGreat is offline  
Old May 10, 2003, 02:00   #30
MichaeltheGreat
Apolytoners Hall of Fame
Apolyton Grand Executioner
 
MichaeltheGreat's Avatar
 
Local Time: 17:09
Local Date: November 1, 2010
Join Date: Oct 1999
Location: Fenway Pahk
Posts: 1,755
Quote:
Originally posted by Agathon


Awwwww, poor little rich gay fascist boy.
Ok, this one gets you a week for starters.
__________________
Bush-Cheney 2008. What's another amendment between friends?
*******
When all else fails, blame brown people. | Hire a teen, while they still know it all.
MichaeltheGreat is offline  
 

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump


All times are GMT -4. The time now is 21:09.


Design by Vjacheslav Trushkin, color scheme by ColorizeIt!.
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Apolyton Civilization Site | Copyright © The Apolyton Team