X

Week in review: Red-faced Redmond

A flaw in Microsoft's Passport does more than put customers' accounts at risk--it gives the software giant a public relations black eye and opens the company up to stiff fines.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
See full bio
Steven Musil
5 min read
A serious security flaw in Microsoft's Passport service put more than just its 200 million customers' accounts at risk of being hijacked--it also gave the software giant a public relations black eye and opened it up to some stiff fines.

The flaw, in Passport's password recovery mechanism, could have allowed an attacker to change the password on any account to which the username is known. The simplicity of the attack method and the high value of the data frequently stored in Passport accounts--names, addresses, birthdates and credit card numbers--combined to make the vulnerability critical.

Microsoft immediately turned off the feature, and security and product teams worked overnight to fix the flaw. By the next morning, the company had replaced the service with a more secure version, one that should have been there in the first place. The feature had been around since September 2002, and Microsoft is investigating to what degree the flaw may have been exploited by online vandals to grab user accounts.

For a company that has publicly made security a priority, the Passport problem was a serious setback. But the damage to the company could run to more than just bad public relations. The software giant may also face an investigation and significant fines for the security lapse.

The potential investigation could lead to hefty fines at a rate of $11,000 per violation. If the FTC tries to levy fines on Microsoft, the total penalty could be as high as $2.2 trillion if all accounts are tallied as violations. However, the number of people that have been locked out of their accounts may be a better basis for determining fines.

Windows of the future
Security is obviously on Microsoft's mind lately, and the software giant is letting the public know. Microsoft used its Windows Hardware Engineering Conference (WinHEC) to offer a glimpse of things to come from its Windows operating system.

One of the changes it plans to make is to visually alter document or application windows that contain private information that's secured through Microsoft's Next-Generation Secure Computing Base (NGSCB), formerly known as Palladium.

Secure windows will appear differently than regular, unsecured windows in order to remind people that they are looking at confidential material. People will likely customize the secure pages, which will help prevent "spoof attacks," where hackers plant a fraudulent Web page on a PC screen that looks like, but isn't, a file from a person's doctor or accountant, for example.

The controversial NGSC, which Microsoft hopes will help secure its future in the corporate market, is based on real and emulated hardware. Critics fear that the technology will result in consumers losing control of their PCs and data and that Microsoft could use the technology to lock up market share. Others argue that the software and hardware could help lock down corporate data.

Four major features will be included in the first version of NGSCB: A technology called process isolation will seal off trusted applications so they can't be attacked; sealed storage will allow applications to store data securely; secure path will encrypt data from USB (universal serial bus) hardware devices to the computer and secure video output; and so-called attestation will basically take a snapshot of key characteristics that will define the integrity of the PC.

The big news of the conference, however, was the announcement that Longhorn, the next major version of Windows for desktop PCs, will debut in 2005. With Longhorn, Microsoft hopes to improve the visual quality of the computing experience. The goal is to be able to run the OS on screens with a resolution of 120 dots per inch or higher.

Longhorn is intended to continue Microsoft's plans to make the PC the nerve center of the home entertainment network. A set-top box codeveloped by Microsoft and ATI Technologies, for instance, allows people to view on a TV monitor pictures or video stored on a PC.

Spam slam
Microsoft was also busy on the spam front, unveiling new antispam tools for its MSN and Hotmail services, noting that it now blocks the 2.4 billion e-mail messages that target subscriber in-boxes daily. Microsoft said MSN 8 and Hotmail subscribers this week can elect to turn off images within e-mails, a feature that the company said would help cut down on spam.

Images may conceal so-called Web beacons that confirm a particular e-mail address is in use. That's important to spammers, who frequently use dictionary attacks that blanket domains with thousands of random variations in the hopes of hitting a handful of targets. Beacons can be triggered when images appear in a preview window, meaning that recipients do not need to open the file to be painted as a target.

EarthLink got its licks in on spam, too, winning $16.4 million in a federal court judgment and injunction against the "Buffalo Spammer." EarthLink alleged that Howard Carmack had used stolen credit cards, identity theft and other illegal means to purchase hundreds of Internet accounts in order to send out 825 million unsolicited commercial e-mails.

The Carmack case ranks among the three largest spamming judgments that EarthLink has received to date. Last year, EarthLink won $25 million judgment against K.C. Smith, who allegedly sent out more than 1 billion unsolicited commercial e-mails over the company's networks. And in 1998, the courts awarded EarthLink a $2 million judgment in its case against Sanford Wallace, the former "king of spam."

EarthLink didn't have long to celebrate, though. In a case of antispammers against antispammers, Mailblocks filed a lawsuit against EarthLink, saying that the Internet service provider's new junk-removal system violates its own patented technology.

Mailblocks sells technology that helps Web surfers ward off spam by challenging messages from unknown or automated senders, a system known as "challenge/reponse." Mailblocks alleges that EarthLink initiated discussions related to its service, but nothing came of the talks. However, EarthLink's newly proposed service "as advertised" will infringe on its patent, the company says.

Also of note
Dell Computer's board of directors revealed that it wants to change the company's name to just Dell?Networking company 3Com will move its senior management from the Silicon Valley to its East Coast offices?Lower DSL prices could pose a serious challenge to the cable industry's hammerlock on the U.S. market for high-speed Internet access?Ted Turner sold 60 million shares of AOL Time Warner, slashing his stake by about half as he prepares to retire from his role as vice chairman at the beleaguered media giant?IBM is shedding light on a program to create the world's fastest supercomputer, illuminating a dual-pronged strategy, an unusual new processor design and a leaning toward the Linux operating system.