|30 August 1999|
- Hole in MSN Hotmail gives full access to email [News.com]
Users of Microsoft's MSN Hotmail are facing a perplexing problem today: anyone on the Internet can access their email accounts.
- Microsoft Security Advisor Headlines [Microsoft]
[still no mention of the problem...]
- Slashdot discussion (highly rated comments only): Hotmail Cracked Badly [Slashdot]
- Tim Bray on the HotMail Hole [Userland]
Basically, what happened was, if you addressed a hotmail account through your browser, pointing the browser at a particular IP address inside Hotmail, it assumed you'd been validated and let you right in. No, I'm not kidding.
What this is evidence of is appalling, mind-boggling incompetence on the part of one or more engineering geeks at Hotmail. ... The thing that's really startling is that the Hotmail system was left on the air for a substantial number of hours after the one line of HTML necessary to open the door had been posted on dozens of public web sites. Now *that* is evidence of totally unforgiveable organizational cancer somewhere.
It looks like it's a matter of very poor CGI programming rather than an inherent security hole in the server's OS (which I think is still FreeBSD).
What I'd really like to know is, was this crack possible before Hotmail was purchased by Microsoft, or was this an 'innovation' MS added? The hole may well have been there pre-Microsoft (which would still at the very least call into question Microsoft's diligence in investigating their buyout targets).
Tomorrow's going to be a big Apple news day; Steve Jobs will give the keynote speech at Seybold.
This time, no one's quite sure what will be announced (compared to the July Macworld speech where it was pretty certain the P1 [iBook] would be announced). Leading rumors are that MacOS 9 and a new set of Pro desktop models will be introduced. Less likely is the iMac II (or whatever the sequel to the iMac will be called) -- that's probably coming in October or November.
Saw The Sixth Sense. Very well done. Nothing much I can say without giving important stuff away (it made my jaw drop many times). Great performances by Bruce Willis, Haley Joel Osment and Toni Collette.
No complaints, except that the trailers for it did a very poor job of representing the actual movie (much like the Iron Giant ads, btw). Unlike The Iron Giant, though, this movie seems to have done just fine without accurate trailers - it's been the #1 movie in the US for four weeks now. 10/10.
Speaking of The Iron Giant (which you should drop everything and go see if you haven't already), Yahoo has posted some stills from the movie:
This link's currently being Slashdotted, so I can't load the whole page (and none of the images), but it'll calm down eventually and you'll be able to get in. It's Larry Wall's keynote speech at the 3rd Perl conference (probably not interesting if you're not a programmer). There are a couple of particularly nice quotes in it:
- 3rd State of the Perl Onion [wall.org]
...the theme of all these keynote speeches has been that you can't really understand Perl without understanding Larry. There is an unfortunate corollary, however. Since it's not possible to understand Larry, it's not possible to understand Perl either.
Don't overreact. Don't underreact.
Don't overact. Don't underact.
But do act. And act passionately, with balance.
Bowfinger was all right. Definitely some laugh-out-loud moments, but not quite a classic. The Scientology parody elements were particularly fun. 7/10.
The Matrix is now pre-orderable at Amazon on DVD for $14.99(!) or on VHS for $13.99. I know Amazon is viewed poorly by lots of Net folk, but their prices are quite nice at times like this...
O'Reilly will be publishing a User Friendly collection in October, collecting the usually-funny geek cartoon by Illiad.
Finally, this one's a keeper -- funny, informative and true:
Her advice applies to a lot of electronic communication, not just press releases. The whole thing is quotable, so I won't. Just go.
Next update: Wednesday.