Archive of UserLand's first discussion group, started October 5, 1998.

Tim Bray on the HotMail Hole

Author:Dave Winer
Posted:8/30/1999; 10:59:54 AM
Topic:Tim Bray on the HotMail Hole
Msg #:10251
Prev/Next:10250 / 10252

From Tim Bray tbray@textuality.com:

"I went and did 5 minutes research here and there. Just to demystify - since Hotmail apparently runs mostly on various kinds of Unix boxes, this can't be seen as evidence of porous MS software. Basically, what happened was, if you addressed a hotmail account through your browser, pointing the browser at a particular IP address inside Hotmail, it assumed you'd been validated and let you right in. No, I'm not kidding.

"What this is evidence of is appalling, mind-boggling incompetence on the part of one or more engineering geeks at Hotmail. The occurrence of which is certainly not limited to any one company. The thing that's really startling is that the Hotmail system was left on the air for a substantial number of hours after the one line of HTML necessary to open the door had been posted on dozens of public web sites. Now *that* is evidence of totally unforgiveable organizational cancer somewhere. Good lord, when I was a sysadmin at a research lab in 1985 and a bored engineer found a way into the root account on one of our unix boxes, we shut the all the central systems in the company down until the damage was fixed. And that was just T1 multiplexer switch designs, not allegedly personal email. The really interesting question is how many bad-guys around the web have known about this little bit of nastiness for weeks and have been quietly perusing everybody in the world's email..." -Tim




There are responses to this message:


This page was archived on 6/13/2001; 4:52:16 PM.

© Copyright 1998-2001 UserLand Software, Inc.