May 08, Associated Press Microsoft admits Passport was vulnerable. Computer researcher Muhammad Faisal Rauf Danka of Pakistan discovered how to breach Microsoft Corp.'s security procedures for its Internet Passport service. The service is designed to protect customers visiting some retail Web sites, sending e-mails and in some cases making credit-card purchases. Microsoft acknowledged the flaw affected all its 200 million Passport accounts but said it fixed the problem early Thursday, after details were published on the Internet Wednesday night. Under a settlement with the Federal Trade Commission (FTC) last year over lapsed Passport security, Microsoft pledged to take reasonable safeguards to protect personal consumer information during the next two decades or risk fines up to $11,000 per violation. The FTC's Jessica Rich said Thursday that each vulnerable account could constitute a separate violation - raising the maximum fine that could be assessed against Microsoft to $2.2 trillion. Source: http://www.washingtonpost.com/wp-dyn/articles/A30330-2003May8.html
Thanks, Ron DuFresne On Fri, 9 May 2003, Darren Reed wrote: > In some mail from adf--at--Code511.com, sie said: > > > > Is it me or ms never credit vulnerabilities according to > > http://www.microsoft.com/security/passport_issue.asp "a report was > > published detailing a security vulnerability(...)"? No more details or > > credit. > > And they should because...? If you ask me, doing this for "fame and > fortune" is really against what i would call traditional hacker ethic. > > > I also saw online news like http://www.vnunet.com/News/1140757 none > > mentioned as it was said in Muhammad's post the issue was discovered, and > > ms warned since 12th April 2003. Meaning it let opened user's account (40 m > > users?) open for almost 3 weeks... > > that's ms marketting for you! > > but if you think "open for almost 3 weeks", think again. > > "_KNOWN_ open for almost 3 weeks" is more correct. > > if someone had of been less inclined to show off their skills in being > able to reset hotmail passwords, it'd still be unknown and may have > been "in use" for some time before that, if not by that person then > by others. Will MS tell us? Not likely. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
