Re: [ISN] Hackers Shortcut Hotmail Password Reset Protections

From: InfoSec News (isnat_private)
Date: Wed Feb 13 2002 - 02:13:16 PST

Next message: InfoSec News: "[ISN] Group warns of widespread security flaw among Internet network devices"

Previous message: InfoSec News: "Re: [ISN] Microsoft Recalls Botched Browser Security Patch"
Maybe in reply to: InfoSec News: "[ISN] Hackers Shortcut Hotmail Password Reset Protections"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Robert G. Ferrell <rferrellat_private>

> Security researchers have discovered a vulnerability in Microsoft
> Corp.'s Hotmail service that allows hackers to bypass security
> questions that users must answer before resetting their passwords.

Sorry, but if you're relying on Microsoft to provide security, you
pretty much deserve what you get.  Hotmail, especially, has been the
subject of a long string of embarrassing and extremely glaring
security glitches.  But it's really only the tip of the iceberg.

Jericho and I had a discussion about Microsoft's security posture over
a few beers the other day, and I'm fully in agreement with his stance,
which is basically that the new emphasis on secure programming is a
smokescreen designed to reassure the gullible without really effecting
any change in their corporate culture.  They'll crowd their coders
into some classrooms for a month, milk the experience for all the
publicity they can, and then go back to spitting out the same
feature-soaked, security-poor software they always have.  But now they
can slap little colored labels on it that say "security-enhanced" or
some other misleading and completely bogus claims.

Bill Gates is a billionaire.  The reason he's a billionaire is that
people buy anything and everything that Microsoft cranks out, without
questioning it, in the same consumer herd mentality that's produced so
many tycoons in the past.  He's obviously seriously successful; why on
earth would he he want to change a formula that's worked so well up to
now?  A few of us in the security community pissing and moaning about
his crappy software won't make a scrap of difference unless John Q.
Public stops buying it. We can complain until we get blue in the face
and pass out, for all he cares.

Caveat emptor isn't just an aphorism these days, it's a matter of
survival.

Cheers,

RGF

Robert G. Ferrell
rferrellat_private
http://rferrell.home.texas.net/rgflit.html 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "[ISN] Group warns of widespread security flaw among Internet network devices"
Previous message: InfoSec News: "Re: [ISN] Microsoft Recalls Botched Browser Security Patch"
Maybe in reply to: InfoSec News: "[ISN] Hackers Shortcut Hotmail Password Reset Protections"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 05:54:19 PST