Thursday, Jul 24, 2008
If the biggest free e-mail service can't keep our mail private, forget about moving all our data onto the Web.
Sep 1, 1999 | There are security holes, and then there are security holes.
Most computer security problems you read about are obscure problems requiring some advanced skills to exploit. They're potentially dangerous and it's important that they be fixed, but they seem to require a Ph.D. to understand and no one you or I know has ever fallen victim to them.
This past weekend's Hotmail debacle was different -- it was a security breach that anyone could poke his head through. All you had to do was approach Hotmail from a Web page containing some simple code and you could access anyone's account on the popular free e-mail service run by Microsoft. If you knew the e-mail address of any of the 40 million accounts that Hotmail claims, you could read that person's messages -- no password needed.
The open-sesame code circulated on a variety of Web sites last weekend. After a Swedish newspaper reported the problem early Monday, Hotmail shut its servers down and then scrambled through the day to plug the hole.
Early statements from company spokesmen declared that you'd need "specific knowledge of advanced Web development languages" to break into Hotmail via this route. In fact, all you needed was someone to point you to a Web page.
This was a security hole you could drive a tank through. Indeed, judging from accounts posted on different bulletin boards, many people did just that -- testing out the secret Hotmail entryway to see if it could really be as bad as it seemed. No reports have surfaced yet of any active mischief performed by people exploiting the Hotmail hole to plunder others' mailboxes. But it seems that lots of Web users got to experience the thrill -- and horror -- of electronic eavesdropping.
Given the sheer scope of the disaster, media coverage was surprisingly muted. It may be that the drumbeat of recent security problems, particularly ones tied to Microsoft, has simply numbed both reporters and readers: This month alone, preceding Hotmail's snafu, we learned about a hole in the ActiveX code in Microsoft's Internet Explorer 5.0 browser that could allow Web sites to destroy files on your computer; another hole in Microsoft's Office 97 and Office 2000 that allows rogue code to do nasty things to your computer; and yet another hole in Microsoft's implementation of Java that could allow malicious folks to send you an e-mail message that opened your computer to attack.
With Microsoft's product line looking increasingly like Swiss cheese, it would be easy to jump on the latest Hotmail incident as a sign of the software giant's clumsiness or incompetence. In truth, though, the Hotmail service runs not on Windows NT but on Unix servers similar to those that power the majority of the Web's high-traffic sites. Hotmail's woes most likely stemmed less from operating-system design or bad program code than from plain old systems-administration carelessness.
Microsoft isn't telling the world much about what happened -- its message to Hotmail users is a model of corporate opacity. But based on what I've observed and been able to glean, here's my guess at how Hotmail got hacked.
Get Salon in your mailbox!