| |||||
|
Arts & Entertainment Books Comics Health & Body Media Mothers Who Think News People Politics2000  Technology- Free Software Project Travel & Food  Columnists
- - - - - - - - - - - -
- - - - - - - - - - - - View From the Top - - - - - - - - - - - - Also Today For a full list of today's Salon Technology stories, go to the
Technology home page. - - - - - - - - - - - - Search Salon - - - - - - - - - - - - Salon Columnists - - - - - - - - - - - - Recently in Salon Technology Silicon Follies Silicon Follies 21st Challenge Complete archives for Technology - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
Holey Hotmail
- - - - - - - - - - - -
Sept. 1, 1999 |
Most computer security problems you read about are obscure problems requiring some advanced skills to exploit. They're potentially dangerous and it's important that they be fixed, but they seem to require a Ph.D. to understand and no one you or I know has ever fallen victim to them. This past weekend's Hotmail debacle was different -- it was a security breach that anyone could poke his head through. All you had to do was approach Hotmail from a Web page containing some simple code and you could access anyone's account on the popular free e-mail service run by Microsoft. If you knew the e-mail address of any of the 40 million accounts that Hotmail claims, you could read that person's messages -- no password needed. The open-sesame code circulated on a variety of Web sites last weekend. After a Swedish newspaper reported the problem early Monday, Hotmail shut its servers down and then scrambled through the day to plug the hole. Early statements from company spokesmen declared that you'd need "specific knowledge of advanced Web development languages" to break into Hotmail via this route. In fact, all you needed was someone to point you to a Web page. Scott Rosenberg's column appears once a week in Technology Given the sheer scope of the disaster, media coverage was surprisingly muted. It may be that the drumbeat of recent security problems, particularly ones tied to Microsoft, has simply numbed both reporters and readers: This month alone, preceding Hotmail's snafu, we learned about a hole in the ActiveX code in Microsoft's Internet Explorer 5.0 browser that could allow Web sites to destroy files on your computer; another hole in Microsoft's Office 97 and Office 2000 that allows rogue code to do nasty things to your computer; and yet another hole in Microsoft's implementation of Java that could allow malicious folks to send you an e-mail message that opened your computer to attack. With Microsoft's product line looking increasingly like Swiss cheese, it would be easy to jump on the latest Hotmail incident as a sign of the software giant's clumsiness or incompetence. In truth, though, the Hotmail service runs not on Windows NT but on Unix servers similar to those that power the majority of the Web's high-traffic sites. Hotmail's woes most likely stemmed less from operating-system design or bad program code than from plain old systems-administration carelessness. Microsoft isn't telling the world much about what happened -- its message to Hotmail users is a model of corporate opacity. But based on what I've observed and been able to glean, here's my guess at how Hotmail got hacked.
| ||||
 |
 |
 |
 |
||
Next page |