Holey Hotmail

If the biggest free e-mail service can't keep our mail private, forget about moving all our data onto the Web.

Published September 1, 1999 4:00PM (EDT)

There are security holes, and then there are security holes.

Most computer security problems you read about are obscure problems requiring some advanced skills to exploit. They're potentially dangerous and it's important that they be fixed, but they seem to require a Ph.D. to understand and no one you or I know has ever fallen victim to them.

This past weekend's Hotmail debacle was different -- it was a security breach that anyone could poke his head through. All you had to do was approach Hotmail from a Web page containing some simple code and you could access anyone's account on the popular free e-mail service run by Microsoft. If you knew the e-mail address of any of the 40 million accounts that Hotmail claims, you could read that person's messages -- no password needed.

The open-sesame code circulated on a variety of Web sites last weekend. After a Swedish newspaper reported the problem early Monday, Hotmail shut its servers down and then scrambled through the day to plug the hole.

Early statements from company spokesmen declared that you'd need "specific knowledge of advanced Web development languages" to break into Hotmail via this route. In fact, all you needed was someone to point you to a Web page.

This was a security hole you could drive a tank through. Indeed, judging from accounts posted on different bulletin boards, many people did just that -- testing out the secret Hotmail entryway to see if it could really be as bad as it seemed. No reports have surfaced yet of any active mischief performed by people exploiting the Hotmail hole to plunder others' mailboxes. But it seems that lots of Web users got to experience the thrill -- and horror -- of electronic eavesdropping.

Given the sheer scope of the disaster, media coverage was surprisingly muted. It may be that the drumbeat of recent security problems, particularly ones tied to Microsoft, has simply numbed both reporters and readers: This month alone, preceding Hotmail's snafu, we learned about a hole in the ActiveX code in Microsoft's Internet Explorer 5.0 browser that could allow Web sites to destroy files on your computer; another hole in Microsoft's Office 97 and Office 2000 that allows rogue code to do nasty things to your computer; and yet another hole in Microsoft's implementation of Java that could allow malicious folks to send you an e-mail message that opened your computer to attack.

With Microsoft's product line looking increasingly like Swiss cheese, it would be easy to jump on the latest Hotmail incident as a sign of the software giant's clumsiness or incompetence. In truth, though, the Hotmail service runs not on Windows NT but on Unix servers similar to those that power the majority of the Web's high-traffic sites. Hotmail's woes most likely stemmed less from operating-system design or bad program code than from plain old systems-administration carelessness.

Microsoft isn't telling the world much about what happened -- its message to Hotmail users is a model of corporate opacity. But based on what I've observed and been able to glean, here's my guess at how Hotmail got hacked.

A few weeks ago, Microsoft was rolling out its new Passport program -- designed to make it easy to use one ID and password across many sites. Passport is still being promoted on the Hotmail home page with the line "Your Hotmail account just got more powerful with Microsoft Passport." In hooking up Hotmail to Passport, Microsoft set up some test servers that had special access privileges. (One of the servers the Hotmail master-key sites pointed to on Monday was named "wya-test-www.hotmail.passport.com.") Somehow someone outside the company learned of this, walked in through the wide-open door and decided to spread the word.

A lot of Hotmail users are going to be very mad about this debacle, and it's not going to make them feel better to tell them that "you get what you pay for." (Hotmail was the pioneer of free Web-based e-mail, which quickly became a standard feature of many online services and portals.) As ZDNet's Jesse Berst points out, many people use services like Hotmail for personal, sensitive or confidential e-mail that they don't want to route through their employer -- so their Hotmail in boxes are the last ones they want to see broken into.

It's easy to trot out the old truisms about security: that there's no such thing as a totally secure computer system on a network; that every system has its weaknesses; that a free system serving millions of people on the Net is bound to have some vulnerabilities. That's all undeniable -- but it won't make you feel better the next time you learn that some clown deleted your e-mail.

One lesson underscored here is that the Net magnifies any security breach to gargantuan proportions. Got a master password, a back door or a hole in your code? Sooner or later someone will get his hands on it and publish it to the world. (One server hosting the Hotmail entrance was in Sweden; another, apparently, was in Uzbekistan.) That's the bad news about word traveling fast; the good news is, you're bound to hear about any trouble yourself, soon enough.

But there's a bigger lesson in Hotmail's disaster that raises questions about the whole direction of Web software. Today there are a million and one companies determined to get us all to move our entire lives onto the Web. In the future, according to this network-centric vision of computing, we will conduct all our business on Web sites rather than our own hard drives; our text documents, calendars, personal finances, to-do lists and address books -- as well, of course, as our e-mail -- will all be housed on some friendly Web server.

There are lots of advantages to this model, to be sure; you don't have to worry about synchronizing data between home and workplace, for instance. But there's one huge disadvantage that the Hotmail saga neatly illuminates: Once your data is on someone else's machine, its privacy and safety is utterly in the hands of that someone.

One of the sites that published the Hotmail entrance code later replaced it with a brief message that concluded, "btw, do you trust microsoft?" Maybe you do trust that Microsoft isn't interested in reading your e-mail (a good bet); you still might not trust it to keep your e-mail safe from prying eyes, given this week's events.

If we're lucky, enough people will get mad enough about what happened at Hotmail to force more companies like Microsoft to treat security as a priority, not an afterthought. If we're really lucky, there'll be a public groundswell for privacy strong enough to derail schemes like the dangerous plan currently under discussion in Washington to give the government the right to break into home computers.

More likely, though, we will continue to barrel down the road to Free Web-Based Everything -- and to be rudely awakened by more headlines about security holes.

By Scott Rosenberg

Salon co-founder Scott Rosenberg is director of MediaBugs.org. He is the author of "Say Everything" and Dreaming in Code and blogs at Wordyard.com.

MORE FROM Scott Rosenberg

Related Topics ------------------------------------------

Microsoft Privacy