Bad enough that Microsoft‘s Hotmail service got cracked like a cheap china cup last week, thanks to an overhelpful tweak from a guy in Sweden whose days are so full he doesn’t have time to type in his password every time he checks his e-mail. Now complaints are surfacing that Microsoft has been selling lists of Hotmail addresses to bulk e-mailers — that is, spammers.
According to various Hotmail-using sources, since late spring there has been an astonishing increase in spam volume to Hotmail recipients, many going from spam-free bliss to a flood of ads for weight-loss herbs, mortgage scams, pyramid schemes and pictures of the unclothed. Most of us suffer under the same undeserved burden, but Internet user Mike Cantelon decided to do something about it: He tracked a spammer down and “gave them unholy hell.” Then, according to Cantelon, the spammer informed him that he‘d purchased the list from Microsoft — and if he didn’t want to be spammed he shouldn‘t be on Hotmail.
Microsoft denies the allegations, though not for any particularly lofty reasons like “spam is a civil offense” or “really, we don’t need the money that bad.” (The latter one was shot down specifically in a conversation with internal PR folk at Microsoft, who snorted, “We‘re a business; we’re here to make money. I don‘t see you turning down any ads.”)
The company suggests that the spam recipients might have posted demographic information on DejaNews or listed themselves in the Hotmail directory, to which one recipient retorted, “The only place my Hotmail e-mail account is listed online is at my GeoCities site. None of my friends know about it. It mostly gets form responses and link submissions from my GeoCities site.” (That recipient declined to be identified for this article, since his GeoCities site is sex-related — hence the secrecy about the address itself, not to mention his certainty about his usage patterns.)
Spam recipients also deny replying to the “remove” addresses posted in such e-mails. Responses to such addresses are generally regarded not as a tool for recipients to remove themselves from the spammer’s list but as a tool for hardcore underground spammers to confirm that a particular e-mail address is, in fact, active and being read a by a human. (In other words, asking for no more spam tends to result in extra helpings.) Other things recipients deny doing include making purchases online, posting to listservs, filling out product registrations and signing guest books on other Web sites. Of course, it‘s possible (but not likely) that Cantelon’s spammers were misinformed and that a new spamming house gathered the addresses from the Net — in which case, someone out there is doing spam business while claiming to represent Microsoft.
For two bits, Bill Gates might let the spammers be Microsoft right now, if they‘re willing to take the heat. Microsoft is having a bad week on the security-and-privacy front — bad even for the Redmond Menace. As we went to press, a Net security company called Cryptonym had announced the discovery of an apparent NSA “back door” in Microsoft’s CryptoAPI architecture, the basis for cryptographic security in all versions of Windows. Turns out that not only can Microsoft load encryptiondecryption services (including security programs that monitor or scoop up information from your machine), so can the U.S. government. Since the Justice Department is currently petitioning Congress for the right to do this very thing without notifying the surveillance target (a procedure known in Nixon‘s day as a black-bag job and usually granted only in extreme circumstances), the open-source and privacy communities are now justifiably screaming for blood.
Additionally, there’s been a steady stream of reports for the past two weeks on Internet Explorer security holes large and small, many bagged by indefatigable Bulgarian bug-hunter Georgi Guninski. Guninski‘s made a name for himself in the past year with an array of finds pointing out the myriad vulnerabilities of both Internet Explorer and Netscape. Some of the holes are less troubling than others — for instance, the Cross Frame Navigate bug required that the intruder know the name of specific files he or she wanted to penetrate. But Explorer users, increasingly nervous as the security-lapse reports roll by, may be missing some of the niceties of that debate.
But back to the Hotmail security debacle, from which fallout continues and which started out not as a hack but as a time saver for Michael Nobilio, a Swedish programmer with enough time on his hands to find this hole but not enough to type his password. Nobilio discovered that you could access your Hotmail account by typing a URL containing your user name and a CGI command telling Hotmail to open your mailbox without asking for a password. Then he posted the code so anyone could use it — inadvertently making all Hotmail accounts accessible to nearly anyone.
The system vulnerability wasn’t something intentional on Microsoft‘s part, according to experts; rather, it was simply sloppy coding. But when sloppy code is endemic, it’s that much harder to fix; most tech-industry observers say it‘s a matter of time before the next big sinkhole opens up.
If readers would like a silver lining at the bottom of this article, here it is: Where free e-mail is concerned, for once Micro-soft isn’t accused of having a monopoly on the market. With server space and bandwidth both cheaper than ever, it seems that every site around is offering free addresses; in addition, mega-sites such as Yahoo GeoCities are cheerfully prepared to hand Microsoft its lunch on this one. As a spokeswoman for Yahoo smugly put it, “You can read our Terms of Service — we‘d never sell addresses.” Maybe Yahoo would like to buy a nice make-money-fa$$$t pyramid scheme instead?