Archive of UserLand's first discussion group, started October 5, 1998.
Re: A new toy!
Author: Eric Soroos Posted: 2/5/1999; 1:38:35 PM Topic: A new toy! Msg #: 2707 (In response to 2701) Prev/Next: 2706 / 2708
Computer World's article has next to no information about the nature of the bug, therfore it is hard to determine if it could apply to other services.
E-mail is fundamentally insecure. Period. Security was just not designed into the system.
Unless you regularly pgp sign/encrypt your mail, mail can be spoofed to make it appear to come from you, at least on a cursory examination. PGP is the only way to be sure that the mail came from you, assuming of course that your key hasn't been comprimised.
For example, if you mail from a typical ISP, where you get a different IP each time you log in; by getting an account of that system I can make a message that will look identical to one that you could send. At that point, the only way to trace the mail would be through matching up the records to see who what at what IP on the dialups when the message was sent. This sort of attack is harder with hotmail, where it is harder to get into thir IPspace.
In addition, any system where the passwords are sent in plaintext or easily decrypted form over the network is vunerable to a packet sniffing type of attack. This covers anything sent by a web browser without SSL.
Lastly, if you have an easily guessed password, consider it cracked. Use passwords that are a combination of letters and numbers that aren't a word in a dictionary. Longer is better. Don't ever use passwords that have been examples in security books.
This page was archived on 6/13/2001; 4:47:46 PM.
© Copyright 1998-2001 UserLand Software, Inc.