[ISN] The trouble with Hotmail

From: InfoSec News (isnat_private)
Date: Wed Aug 22 2001 - 03:03:34 PDT

  • Next message: InfoSec News: "[ISN] Hack insurer adds Microsoft surcharge"

    [No mention of this weekend's troubles with Hotmail, but still an
    interesting read.  - WK]
    By Damien Cave
    Aug. 21, 2001 
    At first, Dave Miller didn't mind when Hotmail started treating him
    like a child. The 33-year-old software engineer had been using the
    Web-based e-mail service since 1995 -- two years before Microsoft
    purchased it -- and he'd grown accustomed to the outages and quirky
    malfunctions that occasionally afflicted his account.
    It did seem a little bit odd that Hotmail would only allow him access
    to his e-mail after a "parent" logged in from another account and gave
    Miller permission, but he figured that the glitch was probably due to
    a recent redesign. He used another Hotmail account to approve his own
    attempt to get his own e-mail, and expected the Hotmail hiccup to be
    fixed in a matter of days.
    But the problem persisted. Eventually Miller figured it out: In late
    July he had signed his daughter up for a children's version of Hotmail
    and Microsoft's Instant Messenger service; in the process, which he
    calls "inconsistent and confusing," he inadvertently kiddie-sized his
    own account.
    "I set my birthday to hers -- June 29, 1996," he says.
    Miller immediately shot an e-mail to Hotmail tech support, assuming
    that a representative could easily fix his "Passport," the log-in
    template that stores personal information for users of Hotmail and
    other Microsoft services.
    Yet Microsoft told Miller his account couldn't be fixed. "I'm sorry to
    say this," came the reply from Redmond, "but we cannot change a
    child's account to a 'Regular adult/full' Passport account when you
    already gave consent to it."
    No reasons were offered, technical or policy-based. The e-mail merely
    encouraged Miller to keep going through the convoluted process of
    giving himself permission "by using another parent account."
    Miller, a software quality assurance expert, could hardly believe what
    he was reading. Microsoft's inability to simply change the age, or
    even delete and re-create the account, seemed ridiculous. Though
    perhaps not quite life-threatening in importance, to Miller the
    incident bore a significance that extended beyond your average
    software nuisance. If Microsoft's engineers couldn't fix an apparently
    minor problem with Hotmail, how much confidence should Net users place
    in Microsoft's much more ambitious plans -- with its much ballyhooed
    .NET initiative and HailStorm -- to absorb their online lives?
    "These kinds of problems are indicative of slipshod design," he says.
    "They certainly say something disturbing about the entire .NET
    Microsoft's .NET plan, which some observers see as part of a
    comprehensive strategy to battle AOL Time Warner for mastery of the
    online universe, is built on the premise that users will allow the
    consolidation of their personal information on centralized Microsoft
    server computers. The payoff is supposed to be "seamless" access to a
    vast array of online services. But to critics, the consolidation of
    e-mail, instant messaging and other goodies in the hands of Microsoft
    -- beyond, obviously, sounding antitrust alarms -- would make everyone
    more dependent on Microsoft's software infrastructure. And that
    infrastructure is already prone to virus attacks and other weaknesses
    that the rest of the Net has so far managed to evolve strong defenses
    Microsoft representatives argue, in return, that Hotmail still works
    better than other Web-based e-mail services. Defenders of the company
    suggest that Hotmail's growing pains offer valuable lessons for
    Microsoft that will actually help .NET succeed.
    But Dave Miller's Hotmail woes are hardly unique. In 1998, news
    traveled quickly around the Web of a method to steal Hotmail
    passwords; a year later, Microsoft paralyzed the service by forgetting
    to reregister the Passport.com domain name.
    Meanwhile, outages have become commonplace, almost every-month
    occurrences -- and not just for Hotmail. Microsoft's Instant Messenger
    service -- which also uses Passport -- suffered a 10-day outage
    earlier this summer, and in late July, millions of users lost Hotmail
    access for several days after Hotmail's Windows NT servers were
    infected by the Code Red virus -- a problem that primarily affected
    Microsoft NT servers, and not computers running Linux-based or Unix
    operating systems or the Apache Web server program.
    Microsoft's goal of becoming a one-stop shop for the entire Net is no
    secret. But is such a place, to paraphrase the company's own
    ubiquitous advertising slogan, really where we want to go today, let
    alone tomorrow?
    Many of Hotmail's problems can be blamed on sheer size. When Microsoft
    bought Hotmail in 1997 for $400 million, the service claimed it had
    about 9 million users. Over the past four years, that number has
    jumped to 110 million, according to Microsoft.
    Scaling up is always a problem for Internet applications, but
    Web-based e-mail is especially hard to manage, says Lawrence Hughes,
    author of "Internet E-Mail: Protocols, Standards and Implementation."
    It's "extremely difficult to get right," Hughes says, because the
    service tends to be a bandwidth hog. Whereas desktop-based e-mail
    programs use only a few kilobytes to transfer mail, Web-based e-mail
    demands more, sometimes as much as a megabyte per user.
    "This can drastically limit the scalability of the application, even
    on one-GB [gigabyte] servers," Hughes says.
    Maintaining complete locked-down control is also particularly hard for
    Web-based e-mail because log-in processing doesn't take place on the
    PC, but rather on the server, so there's more of an opportunity for
    malicious crackers to intercept the data. The widespread use of
    JavaScript pop-ups adds another window of vulnerability. Indeed, the
    folks who made it possible to steal Hotmail passwords took advantage
    of both problems: They created a pop-up that requested Hotmail log-ins
    and passwords, so when some unsuspecting user typed in the
    confidential information -- thinking the page came from Microsoft --
    it was sent directly to the thieves.
    The lack of Web browser standardization also causes problems:
    Designers can't completely control the look and feel of a Web site in
    the way that the makers of Eudora, or Microsoft's own Outlook, can
    control their user interfaces. Such quirks also make it easy to
    introduce bugs or glitches.
    "It is unbelievably challenging to run and manage an online service of
    [Hotmail's] scope, regardless of who you are," says Ray Ozzie, creator
    of Lotus Notes and the founder of Groove Networks, a peer-to-peer
    software company. "NASDAQ has had their share of highly visible
    problems recently, eBay and AOL have had their share over the years
    and so on."
    And instead of hurting Microsoft, Ozzie argues, Hotmail's outages,
    security problems and minor troubles may actually improve the
    company's chances of making .NET work. Solutions can be applied to
    more ambitious plans, "increas[ing] the probability that they'll be
    able to manage the more strategically important services such as
    HailStorm when they indeed need to roll them out," he says.
    Ozzie, however, is hardly an objective pundit; although a
    nondisclosure agreement prevents him from revealing the details, he's
    working with Microsoft's Hailstorm team on yet-to-be-announced
    And even if the Hotmail development process can be regarded as a
    training-wheels approach to .NET, that still may not be enough to
    ensure success, say critics.
    "Is sitting in a wading pool good training for the Olympic high dive?"
    asks Miller. "You might learn some basics like, 'Don't breathe when
    your head is underwater,' but you're never going to pick up the
    technique until you buckle down and do it right."
    Ultimately, according to Miller and other critics, there's only one
    way for Microsoft to make .NET a success -- by radically changing the
    company's corporate culture. It all starts with security.
    .NET is more fragile than the average Microsoft initiative because
    every service will be attached to a centralized network rather than a
    stand-alone PC; a problem for one could be a problem for all. So in
    order to remove the risk of a complete meltdown -- in order to obtain
    the steady reliability people have come to expect from desktop
    software systems -- Microsoft needs to make security more of a
    It won't be easy. Microsoft has continually "sacrificed security for
    default features," says Roger Grimes, author of "Malicious Mobile
    Code: Virus Protection for Windows." Outlook, for example, contains an
    auto-send feature that's useful but is also regularly exploited to
    spread viruses. Windows NT's basic default installation is also
    problematic, says Grimes, giving every connected user unfettered
    access -- an open-door practice that drives security experts up the
    wall. (Other examples abound; Grimes says that Microsoft has chosen
    functionality over security in at least 19 cases.)
    Microsoft maintains that both security and functionality goals are
    attainable. "Microsoft operates some of the largest Web services in
    the world, and we are very focused on making sure that customers can
    count on a secure, safe experience with those properties," says Adam
    Sohn, product manager for the .NET platform strategy group. "HailStorm
    and .NET are built from the ground up with these tenets in mind, and
    were architected as Internet-native technologies with robust
    infrastructure for security, authentication and privacy."
    Sohn's jargon mastery is impressive, but does not sway Microsoft's
    more ardent gadflies. "The needs of a commercial software enterprise
    such as Microsoft" -- the need to create new products that bring in
    revenue -- "are fundamentally at odds with the growing need for
    software stability," counters Steve Gibson, founder of Gibson Research
    Corporation, a security firm. Take, for example, Microsoft's typical
    response to a security breach. The company posts a software fix or
    patch on its Web site, and expects users to download it and apply it
    themselves. Users bear the brunt of responsibility for ensuring their
    own safety. Does such a strategy mesh with the setting up of a system
    that will require users to trust Microsoft even more than they
    currently do?
    "I have spoken with many system administrators whose voices are never
    heard," says Gibson. "They lament that this 'security model' is
    bass-ackwards and that an unreasonable level of vigilance is being
    required of them."
    "The fact that Microsoft's own Hotmail service -- as well as one or
    more Windows Update servers before that -- were unpatched [when Code
    Red hit] demonstrates the problem with the current approach," Gibson
    Microsoft should spend more time and effort plugging holes before a
    product is released, says Gibson. Or it could go one step further --
    and start embracing solutions that already work and are currently in
    favor with experienced Net users.
    More than 50 percent of publicly accessible Web servers, for example,
    employ the Apache Web server program on top of Linux-based or Unix
    operating systems. Such software isn't chosen simply because much of
    it is free or "open source" (meaning that the underlying software code
    is publicly available) -- it's also widely considered to be more
    stable. Stability, rather than revenue growth, is often the primary
    goal of the programmers who are constantly improving such software.
    As a result, says Chris Coleman, open-source editor at O'Reilly &
    Associates, a computer books publisher, "There aren't any worms for
    Apache. You just don't see these kinds of [Code Red] problems."
    Hotmail actually started out with substantial open-source roots. When
    Microsoft bought the service, Hotmail made heavy use of portions of
    the FreeBSD operating system, along with Solaris, a proprietary Unix
    system developed by Sun Microsystems. Three years later, Microsoft
    moved Hotmail to servers running Windows. Executives argued that
    Microsoft software would do a better job, but if the company had kept
    the older software, Code Red would never have had a chance to take
    Hotmail down.
    Few observers believe that there is any chance that Microsoft will
    base .NET on open-source software -- in fact, many believe exactly the
    opposite, that .NET is in part a strategy designed to force the rest
    of the Net to wean itself away from free software. But in June the
    Wall Street Journal reported that Microsoft -- despite previous claims
    -- was still using open-source software for some Hotmail purposes.
    Even if Microsoft did take some basic steps, tightening default
    security sessions and overcoming its reluctance to depend on software
    popular with the rest of the Net, there are still other concerns to be
    Microsoft maintains that .NET is "fully redundant as well as
    geographically distributed to ensure availability" -- in other words,
    it's not supposed to crash. But the entire strategy is predicated on
    returning to exactly the kind of centralized system -- with Microsoft
    and its products at the hub -- that the Internet was supposed to
    There are some obvious benefits to this approach. Having a "Passport"
    with your credit card information and address and other personal
    information may well make it easier to shop online. But it also sets
    up .NET as the ideal target for the seamier elements of the Net --
    marketers who want your personal data, and thieves eager for access to
    your credit card.
    "Individuals and businesses really have to carefully assess the
    tradeoffs in relying upon a single point of vulnerability for things
    that matter to them," says Ozzie of Groove Networks. "There are real
    tradeoffs -- privacy, security, availability, cost -- that we should
    all be thinking about with respect to placing data and applications at
    the 'edge' vs. the 'center' of the network. Neither is the 'right'
    answer for all situations."
    For .NET to work, argues longtime Hotmail user Dan Yurman, "all online
    providers of goods and services or content are going to have to
    address the issue of consumer confidence." Microsoft's own recent
    troubles, such as the 10-day outage of its Instant Messenger service
    this summer, "was not a confidence builder toward that goal," he says.
    Dave Miller, despite his criticisms, isn't positive that the outages
    and glitches will damn .NET to failure. He says he believes Microsoft
    has actually done a decent job of keeping Hotmail afloat. It's the
    little things that put him on edge: the idea that Microsoft is
    embarking on a major technological paradigm shift without knowing how
    to fix minor bugs. Maybe he just wants to be recognized as an adult
    when he signs onto Hotmail; maybe he just wants better customer
    service. But Miller's anger has yet to subside. He figures it's
    Microsoft that needs to grow up.
    "When it comes to handling my personal information and money, I expect
    the handlers to have put some serious effort into planning for the
    contingencies," Miller says. .NET still might work, he says, but
    "don't expect it to be painless."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 05:12:13 PDT