|
|
|
| Come for the quick hacks, stay for the epiphanies. | |
| PerlMonks |
comment on |
| ( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
|
Yes, Microsoft has made mistakes, and that is not necessarily a damning statement. But what is awkward is the reasons for these mistakes. Microsoft has always looked to features/convenience as their #1 priority (unless you want to make "sounds good in marketspeak" to the list) and security has always been added as an afterthought. The exploit on the page in question was doable because of Microsoft's belief that your HTML doesn't have to be correct to be parseable. It sounds good in theory, but what if they added the same "feature" to perl. The monastery would be up in arms. I personally don't think that expecting HTML to not be littered with garbage tags is so unthinkable. Then you get into the "Security through Obscurity" practices, and I start to wonder, would you trust passport?? Furthermore, from looking at the details of the previous exploit, it would seem that future attacks will need to target users from one particular site. (Since finding the merchant ID is crucial to spoofing the server.) So, if you are a passport enabled site and 10,000 users get their credit card details stolen, you run a good risk that MS will go with the old "It's the merchant's fault" defense. This could be devastating to any onlie merchant. (Look at egghead.com) I felt that the authors most insightful comment comes when he is discussing the "special hooks" used by Hotmail nee MS. If you are an early adopter of the passport service you help MS spread its influence by making it useful. Who knows if MS will use those special hooks to build a competing site. This also begs the question, How much will passport know about your on-line transactions?? I am not even as worried about what they will do with the user data, as much as their ability to profile sales for cooperating companies. If they decide to become a competitor at a later date.... The fact that Microsoft is out to make billions is not the question, the question is how do they plan to make it. So the Microsoft engineers make the same mistakes as the monks?? I for one would hope that MS uses some of those billions to hire programmers with more experience in security and programming than myself. Where is the testing?? Why are we always paying to join Microsoft's public betas?? The exploit on the page is related to a long standing Hotmail exploit, and passport just ups the prize for finding these exploits. Perhaps the new ThinkGeek T-shirt should be "I read your e-mail while using your credit card for phone sex." They have used fairly weak encryption (MD5) and left some sensitive data out in the open. I think even most of the monks here would think... "Hmm, I should probably not leave the UID out in the open." Again, testing should have revealed weaknesses like these. Finally, I would just like to harp on the changing nature of passport. From my own testing it appears that two passport servers do not behave the same way. Most likely due to the behind the scenes tweaking. Toss in poor documentation, poor logging and eror recovery, and being logged on to wallet without realizing it?? I could just keep going.... Let's face it, if you had to in after this and "fix" this program, you'd cuss the developer for a year straight. And can I just add that I freakin' hate IE. I do webpages, and I have some IE compatible pages with PURPOSEFUL ERRORS in them, designed to combat some of the render problems. Drives me nuts. This message courtesy of Opera 6.0. HamNRye
In reply to Re: What is the real problem here?
by HamNRye
|
|