This story was written by Keith Dawson for the Industry Standard's Media Grok email newsletter. It is archived here for informational purposes only because The Standard's site is no more. This material is Copyright 1999-2001 by Standard Media.

THE INDUSTRY STANDARD MAGAZINE
Media Jumps on Another Security Break for Microsoft
Aug 31 1999 12:00 AM PDT



The crime was obvious: A Swedish newspaper reported over the weekend that Web sites were posting instructions on how to walk right into Hotmail accounts. Anyone could type in a user's name and enter that person's account, no password necessary. Microsoft (MSFT) shut down the free e-mail service for several hours on Monday and put in a fix. The official word from Microsoft was that it had received no reports of account tampering. As for the bust, the media jury is still out on who did it and why.

It was unclear who launched the attack. The Wall Street Journal's unbylined account chalked the invasion up to hackers and left it at that. Wired reported that a hacking group claimed credit for discovering and releasing news of the Hotmail vulnerability. But the New York Times identified a programmer named Michael Nobilio as the creator of the software, saying that Nobilio had intended the mechanism as a convenience for Hotmail users, never expecting that it would be manipulated to allow illicit entry. MSNBC pointed to a hole in MSN's new Passport service as the culprit. Jon Thompson, Web site administrator for a site that had hosted the tunnel into Hotmail, told MSNBC's Bob Sullivan and a later report in Wired that the vulnerability had been known since Passport's beta version. Microsoft's official response is that the break-in is unrelated to Passport.

Wired dug deep and noted the discrepancy between when Microsoft says it learned of the bug (Monday morning) and when the Swedish newspaper Expressen claimed to have notified the company (early Sunday morning). A second story filed four hours later explored the possibility that the security hole was a "backdoor" left in Hotmail code by accident, a claim that Microsoft strongly denied: "There is nothing to these allegations," Microsoft told Wired's James Glave.

The Washington Post's John Schwartz was one of the few reporters to point out that the often-quoted figure of 40 million Hotmail users is surely exaggerated: Many Hotmail users have multiple accounts, and some use Hotmail accounts as throwaways. Analysis was generally in short supply, but Schwartz worked some into his coverage. "[The Hotmail dustup] is just one more instance of the fact that the fundamental infrastructure is full of holes. ... Things aren't designed to be secure, so how can you expect them to be secure?" security graybeard Peter Neumann told Schwartz. As to why Microsoft seems to get tougher treatment from both hackers and reporters, Neumann was philosophical: "There are a lot of fleas on the 500-pound gorilla."

Hotmail Hack: This Time It's Personal
The Industry Standard

Hotmail Accounts Exposed to All
Wired

Did MS Dig Its Hotmail Hole?
Wired

Hotmail Hackers: 'We Did It'
Wired

Hotmail Cracked Badly
Slashdot

Hacker Attack Hits Free E-mail Service
Washington Post

Microsoft Says It Has Fixed Huge Hotmail Security Flaw
Wall Street Journal
[Registration required.]

Hotmail Accounts Compromised
MSNBC

Hotmail Hole Exposes Free E-mail Accounts (Joe Wilcox)
News.com

Flaw Allows Hackers Into E-mail Accounts
New York Times
[Registration required.]

Hotmail Temporarily Shut Down (AP)
CBS Marketwatch