Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Pastimes : Computer Learning -- Ignore unavailable to you. Want to Upgrade?

To: thecow who wrote (23173)	11/3/2001 7:49:45 PM
From: SIer formerly known as Joe B.	Respond to of 110652

Microsoft leaves its Wallet wide open Friday November 02 09:13 PM EST By Robert Lemos, ZDNet News news.yahoo.com Software flaws in the company's Passport authentication system leave consumers' financial data wide open and cause the software giant to remove a key service from the Internet. More resources from ZDNet: • Tech News on Your PDA • Land a Hot Tech Job • ZDNet Tech Update • Free Downloads • Online Classes • Most Popular Products • Super PC performance boosters • Web Surfer Power Tools • Download MP3 music Sign up for the free ZDNet News Dispatch: (CNet/ZDNet Privacy Policy) Software flaws in the security of Microsoft's Passport authentication system left consumers' financial data wide open, causing the software giant to remove a key service from the Internet to protect people from having their data stolen, a company representative acknowledged Friday. The admission came after an open-source programmer demonstrated serious security flaws in Wallet--the Passport service that keeps track of data used by e-commerce sites. Microsoft shut down the service Thursday, casting a pall on the company's recent efforts to convince consumers that it is serious about security. The incident also undermined the software giant's claims that its Passport system can keep customers' financial data safe. "It is very easy to fix the example exploit that I came up with," said Marc Slemko, the Seattle-area software engineer and open-source programmer who discovered the problems. "But to fix the inherent flaws in Passport is a pretty complex task." By sending a Hotmail user a specially crafted e-mail, Slemko could in many cases get complete access to the reader's financial data contained in Passport's Wallet service stored on Microsoft's servers. The exploit took advantage of two so-called cross-scripting vulnerabilities that appear when the communications between applications--say, a Web mail site and a financial site--are not rigorously checked for security. Slemko's idea was to combine those vulnerabilities with the fact that, for up to 15 minutes after someone signs in to Hotmail, that person's authorization extends to every other Passport service, including Wallet. In this case, if a victim reads the specially crafted e-mail within 15 minutes of signing in, the code contained in the message retrieves all the person's cookies, bits of code that identify the user. The attacker can then use those cookies to access other services within those 15 minutes. Slemko, who makes no bones about his uneasiness with Microsoft's Passport system, said he came up with the basics of his exploit in about 30 minutes of brainstorming. That, he said, shows the extent of the problems Microsoft needs to overcome. "It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software, or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security," he stated in his paper outlining the attack. Microsoft acknowledged the security problems, originally reported by online news service Wired, calling Slemko's analysis of the security flaws "valid." On Thursday, the company temporarily disabled the Express Purchase service affiliated with Passport Wallet, effectively removing any danger that consumers could have had their information stolen. "Ultimately, the big takeaway from this is that there is no evidence that anyone has ever taken advantage of this," said Adam Sohn, product manager for Microsoft's .Net platform strategy group. Microsoft plans to shorten the time a person remains authenticated to about a minute, Sohn said. He added that the attack would not have been successful if the potential victim had been using Windows XP (news - web sites), Microsoft's new operating system. Passport is a linchpin in Microsoft's .Net strategy, acting to authenticate every person that attempts to access a service through the software giant's service. Because of that, it's important that Microsoft do everything right, Slemko said. He held out little chance that the company would, however. "The risks to users today is mitigated substantially by the fact that Passport is not all that widespread for anything more important than Hotmail accounts and customizations on other Microsoft sites," he said. "The security implications, however, of having this Passport be a single identity for a user in widespread use across the Internet are dire."

To: thecow who wrote (23173)	11/3/2001 11:18:45 PM
From: SIer formerly known as Joe B.	Read Replies (1) \| Respond to of 110652

I finally figured out my XP scroll problem. I can't believe how lame I was. I never installed the drivers for my video card. Strange thing is everything else worked fine. I see little difference between XP Pro & W2K Pro. XP is a little bit faster and a little more colorful but I use the Windows Classic look. XP also has a few cool features that I eventually might use like the Remote Assistance and the extra multimedia features like ME. The only advantage I see of W2K Pro over XP Pro is being able to install it on more than one machine. XP also has the Restore feature like ME, like I've said before I prefer Drive Image but Restore is better than nothing I suppose. One last thing XP's default sounds are much less annoying than all previous versions of Windows. As a general rule if someone's hardware and software is compliant I think it's worth upgrading from Win 9X or ME to XP but I see very little reason to go from W2K Pro to XP. XP also has some nice wallpaper I especially like tulip and follow.