💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › ANTIDOTE › anti… captured on 2022-01-08 at 14:57:21.
View Raw
More Information
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
Volume 2 Issue 15
9/20/99
** **
***** * * ** *
* *** ** *** ** **
*** ** * ** **
* ** ******** ** **** ********
* ** *** **** ******** *** *** ** * *** * ********
***
* ** **** **** * ** *** ********* * **** **
* ***
* ** ** **** ** ** ** **** ** ** **
* ** ** ** ** ** ** ** ** ** ** *
********* ** ** ** ** ** ** ** ** ** *
* ** ** ** ** ** ** ** ** ** ** *
* ** ** ** ** ** ** ** ** ** ** *
***** ** ** ** ** * ** ** ** ****** ** *
* **** ** * *** *** ** *** * ***** **** **
* ** ** *** *** *** ***
*****
*
** http://www.security-source.net/antidote
bof_ptr = (long *)buffer;
for (i = 0; i < bufsize - 4; i += 4)
*(bof_ptr++) = get_sp() - offs;
printf ("Creating termcap f1le\n");
printf ("b1tch is Fe3lyn 1t.\n";
------------------------------
We normally don't do this, but please visit www.security-source.net/lordoak/hka
ttmp/
and check out the "Attempted Hack", it is soooo funny!
In this issue of Antidote, we have over 750 subscribers and getting more everyd
ay! The
only thing that we ask of you when you read Antidote, is that you go to:
www.security-source.net/popup.html
and click on our sponsors. One issue of Antidote takes us about a week to put t
ogether
and going to our sponsor only takes you about 15 seconds (if that). So please g
o visit
our sponsor because it is the only thing we ask of you.
-)!-- Contents //--(-
0.00 - Beginning
0.01 - What?
0.02 - FAQ
0.03 - Authors
0.04 - Shouts
0.05 - Writing
1.00 - News
1.01 - Extensive security gaps persist in DoD networks
1.02 - Millions of Hotmail accounts Vulnerable
1.03 - MindPhasr arrested for Tampering with Pentagon
1.04 - More depth to the HotMail exploit
1.05 - Presidential candidates' Web sites fail privacy test
1.06 - Teens plead innocent in hacking case
1.07 - MicroSoft denies it gives Government access
1.08 - Zyklon admits to invading Government Servers
1.09 - All eyes on Hotmail Audit
2.00 - Exploits (new & older)
2.01 - http://browse.security-source.net
3.00 - Misc
SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or
just
plane making fun of something or someone.
FEAT.S - FEATURED SITES:
http://browse.security-source.net
http://www.403-security.org
http://www.hackernews.com
------------------------------
-)!-- 0.00 - Beginning //--(-
0.01 -)What?(-
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine,
cause
that would be wrong. We don't claim to be a hacking magazine. All Antidote is,
is
basically current news and happenings in the underground world. We aren't goin
g to
teach you how to hack or anything, but we will supply you with the current inf
ormation
and exploits. Mainly Antidote is just a magazine for people to read if they ha
ve some
extra time on there hands and are bored with nothing to do. If you want to rea
d a maga-
zine that teaches you how to hack etc, then you might want to go to your local
book-
store and see if they carry '2600'.
------------------------------
0.02 -)FAQ(-
Here are a lot of questions that we seem to recieve a lot, or our "Frequently
Asked
Questions". Please read this before e-mailing us with questions and if the que
stion
isn't on here or doesn't make sense, then you can e-mail us with your question
.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the ba
sics,
why is that?
Antidote is for everyone, all we are basically is a news ezine that comes ou
t once
a week with the current news, exploits, flaws and even programming. All of t
he
articles that are in here are recieved second hand (sent to us) and we very
rarely
edit anyone's articles.
> I just found Antidote issues on your webpage, is there anyway I can get them
sent
to me through e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box wher
e you can
input your e-mail address. You will recieve a link to the current Antidote (
where you
can view it).
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you wou
ld like
to be published above your article (when sending it to us) and we will do wh
at you
say.
> I submitted something and I didn't see it in the current/last issue, why is
that?
It could be that someone else wrote something similar to what you wrote and
they sent
it to us first. If you sent us something and we didn't e-mail you back, then
you
might want to send it again because we probably didn't get it (we respond to
all e-
mails no matter what). We might use your article in future issues off Antido
te.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you
wrote it
or not.
Well thats it for our FAQ. If you have a question that is not on here or the q
uestion
is on here and you had trouble understanding it, then please feel free to e-ma
il
lordoak@thepoison.org and he will answer your question. This FAQ will probably
be
updated every month.
------------------------------
0.03 -)Authors(-
Lord Oak is the founder of Antidote. Most work was done by him in Vol1 issue
s 1-5 and
Vol2 issues 1-13. Though, he is no longer with us.
OptikNerve Current president of Antidote and security-source.net / thepoison.o
rg. Most
work being done in Vol2 issues 14+ is done by him. Feel free to e-m
ail him
at: optiknerve@security-source.net.
Duece is the co-founder and co-president of Antidote, some work is done b
y him
when he comes online. Feel free to e-mail him at: duece@security-so
urce.net
ox1dation not really an author, just someone that helps us out a lot and we c
onsider
him as an author! His e-mail address is: ox1dation@security-source.
net
------------------------------
0.04 -)Shouts(-
These are just some shout outs that we feel we owe to some people. Some are in
dividuals
and Some are groups in general. If you are not on this list and you feel that
For some
reason you should be, then please contact Lord Oak and he will post you on her
e and we
are sorry for the Misunderstanding. Well, here are the shout outs:
Lord Oak EazyMoney
OptikNerve Forlorn
oX1dation PBBSER
lyp0x
Like we said above, if we forgot you and/or you think you should be added, ple
ase e-
mail optiknerve@security-source.net and he will be sure to add you.
------------------------------
0.05 -)Writing(-
As many of you know, we are always open to articles/submittings. We will take
almost
anything that has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us a
nd saying
"www.xxx.com" was hacked... But if you have an opinion about the hacks that is
fine. If
you have any questions about what is "acceptable" and not, please feel free to
e-mail
Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Als
o, please
note that if we recieve two e-mails with the same topic/idea then we will use
the one
that we recieved first. So it might be a good idea to e-mail one of us and ask
us if
someone has written about/on this topic so that way you don't waste your time
on
writing something that won't be published. An example of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts
on
thursday.
And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we
will
take Joe's article because he sent it in first.
But keep in mind, we might use your article for the next issue! If you have so
mething
that you would like to submit to Antidote, please e-mail lordoak@thepoison.org
or
duece@thepoison.org and one of us will review the article and put it in Antid
ote (if
we like it).
------------------------------
-)!-- 1.00 - News //--(-
1.01 -)Extensive security gaps persist in DoD networks(- 08.27.99
[www.fcw.com]
Despite countless warnings dating to 1996, the Defense Department's informatio
n net-
works continue to be plagued by serious security flaws and weaknesses that hav
e opened
up almost every area of the department to cyberattacks and fraud, according to
a new
General Accounting Office report.
Released today, GAO's report, "DOD Information Security: Serious Weaknesses Co
ntinue to
Place Defense Operations at Risk," comes just weeks after deputy secretary of
Defense
John Hamre officiated over the ribbon-cutting ceremony of the Joint Task Force
for Com-
puter Network Defense.
The JTF-CND, which was formed last December, serves as the focal point for DOD
to or-
ganize the defense of DOD computer networks and systems. When cyberattacks are
detect-
ed, the JTF-CND is responsible for directing departmentwide defenses to stop o
r contain
damage and restore DOD network functions operations.
The GAO report follows up on more than two dozen reports issued since 1996 tha
t have
outlined serious security flaws throughout DOD. "DOD has made limited progress
in corr-
ecting general control weakness we reported in 1996," GAO concluded. "As a res
ult,
these weaknesses persist across every area of general controls."
Security gaps identified in the report include weaknesses in access controls,
software
development and unauthorized roles and responsibilities for users.
According to the report, support personnel working with an unidentified DOD sy
stem were
able to alter system audit logs, which record all system activity and are a c
ritical
tool in identifying fraud and unauthorized access.
"We found at every location we visited that there was inadequate periodic revi
ew of
user access privileges to ensure those privileges continued to be appropriate,
" the re-
port stated. In one case, access authorizations for more than 20,000 users wer
e not
documented, according to the report.
In addition, GAO found that application programmers, including outside contrac
tors,
"had direct access to production resources, increasing the risk that unauthori
zed chan-
ges to production programs and data could be made and not detected."
On one system, 74 user accounts had privileges enabling them to change program
source
code without supervisory oversight, the report stated.
Speaking to reporters at the task force ribbon-cutting ceremony, Mike Dorsey,
a special
agent with the Naval Criminal Investigative Service who is working directly wi
th the
JTF-CND to investigate computer crimes against DOD networks, said unauthorized
attempts
to access DOD systems are on the rise but that DOD does not have the resources
to re-
spond to every incident.
A spokeswoman for DOD said the department is addressing all the issues contain
ed in the
report. "We know the department has its work cut out. But we are aggressively
pursuing
initiatives through a 'defense in depth' strategy," the DOD spokeswoman said.
"These
changes won't happen overnight, but we are moving ahead as quickly as our reso
urce pro-
cesses will allow."
http://www.fcw.com/pubs/fcw/1999/0823/web-dod-8-27-99.html
------------------------------
1.02 -)Millions of Hotmail accounts Vulnerable(- 08.31.99
[www.cnn.com]
Millions of free Internet e-mail accounts provided by Microsoft's Hotmail serv
ice were
susceptible to a major security breach that allowed access Monday to users' ac
counts.
The breach worked via a simple Web address which prompted for a Hotmail userna
me. Once
the username was entered, the Hotmail account came up and the mailbox was avai
lable.
The hack opened all accounts tested by CNN Interactive, but e-mail messages co
uldn't
always be opened.
There was no immediate information on how long the breach was active. Shortly
after CNN
Interactive posted the story, the site was changed to a simple message, "Micro
soft
rules." Shortly after that, the URL redirected the user to a site for a new We
b comp-
any.
The breach allowed users to read and forward a member's old messages, read new
messages
and send e-mail in some cases under the name of the user -- assuming the membe
r's i-
dentity.
Hotmail boasts 40 million subscribers.
A morning telephone call made to the public relations firm that handles Micros
oft's
publicity was referred to Microsoft's main number in Redmond, Washington.
That call was forwarded by an operator to Microsoft's Corporate Security Desk.
"You
should send that to abuse@hotmail.com. " said Greg Betcher, at that desk.
Erik Barkel, of Stockholm, Sweden, was listed in the domain name directory Int
ernic as
the administrator for the Web site's domain, but a call to his number did not
go
through.
http://www.cnn.com/TECH/computing/9908/30/hotmail.hack.01/
------------------------------
1.03 -)MindPhasr arrested for Tampering with Pentagon(- 08.31.99
[www.nandotimes.com]
A teenager said to be the founder of a hacker group called "Global Hell" was c
harged
Monday with illegally gaining access to a Pentagon computer.
The Justice Department announced that Chad Davis, 19, of Green Bay, was arrest
ed and
charged in a federal complaint with hacking into the U.S. Army computer and ma
liciously
interfering with the communications system.
The complaint said he gained illegal access to an Army Web page and modified t
he con-
tents. He also was accused of gaining access to an unclassified Army network a
nd re-
moving and modifying its computer files to prevent detection.
http://www.nandotimes.com/technology/story/0,1643,87791-138724-965254-0,00.html
------------------------------
1.04 -)More depth to the HotMail exploit(- 09.01.99
[www.zdnet.com]
It's not the crime, it's the cover-up.
Even before it fully closed a hole that left millions of customers' email wide
open to
prying eyes, Microsoft was already practicing spin control, telling CyberCrime
Monday
morning that the company had simply fallen prey to an evil genius.
"The situation was that there was a hacker who wrote some advanced code to bas
ically
bypass the Hotmail login process," said Rob Bennett, Microsoft's director of m
arketing.
"This person did have very specific knowledge of how to write development code
, and put
up a website apparently that allowed people to put in a user name.
"That code does not work anymore and there should be no future attacks from th
is per-
son." Bennett added. Nobody cracked Hotmail with elite hacking skills. Microso
ft screw-
ed up.
What a relief. We can only hope that the culprit will be swiftly brought to ju
stice and
pay a high price for using his or her rare skills to attack the Web's leading
free e-
mail provider.
The only problem is that there was no "advanced code," and there was no hacker
.
Hotmail was vulnerable because of a design error that caused the service to di
spense
with the formality of verifying passwords for users who logged in through a pa
rticular
entry point: http://wya-pop.hotmail.com/cgi-bin/start.
That entry point had been in wide use since June of 1998, when Michael Nobilio
created
a piece of free Web code that allowed Hotmail subscribers to log in to their a
ccount
through other websites. The code prompted users for their account name and pas
sword,
then passed that information along to Hotmail's login program.
It was a popular utility, which could be found on sites all around the Net. At
some
point, perhaps over a week ago, it became significantly more popular when Hotm
ail began
ignoring the password field and allowing anyone to access any account with any
pass-
word.
http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2325507,00.html
------------------------------
1.05 -)Presidential candidates' Web sites fail privacy test(- 09.03.99
[www.news.com]
For presidential candidates, there really is no such thing as privacy. But the
same
could be true for unwitting visitors to their Web sites, according to a new st
udy.
Many White House contenders are using the Web to rustle up volunteers, campaig
n contri-
butions, and suggestions. But with all the personal information they are colle
cting,
only 2 out of the top 11 candidates have privacy statements on the front pages
of their
Web sites as of late August, according to a new study by the Center for Democr
acy and
Technology (CDT), a nonprofit public policy group.
"Many of the candidates have discussed the importance of privacy for the futur
e," Ari
Schwartz, CDT's policy analyst, said in a statement. "But their actions within
their
own campaign speak louder than their words."
Representatives for the candidates could not immediately be reached for commen
t.
Numerous Congress members, the Clinton administration, and the European Union
have
called for Web sites to disclose their data collection practices and clearly s
tate to
users how their sensitive personal data will be used.
Now CDT is calling on presidential hopefuls to do the same. Citing its report,
A First
Test: The Candidates and Their Privacy Policies, the CDT sent letters to the c
andidates
today calling for a swift change in protocol.
Vice President Al Gore and Sen. John McCain (R-Arizona) both have posted priva
cy poli-
cies on their Web sites. That is not surprising; Gore has pushed a so-called e
lectronic
bill of rights to ensure better privacy protections in the digital age. And as
chair of
the powerful Senate Commerce Committee, McCain has been a gatekeeper for most
Net-rela-
ted proposals that pass through Congress.
But others are falling short, according to CDT.
The group gave the following Republicans "F" grades for the absence of a priva
cy state-
ment on their sites: Gary Bauer, Pat Buchanan, George W. Bush, Elizabeth Dole,
Alan
Keyes, and Dan Quayle.
Candidate Steve Forbes got a "B" for mentioning privacy on his volunteer page
and post-
ing a policy on his contribution section. And Sen. Orrin Hatch (R-Utah) landed
a "B+"
for the privacy statement on his volunteer and donation pages. But Democrat Bi
ll Brad-
ley got only a "C+" for the sole privacy policy found on his volunteer page.
"Election law requires that donors giving over $200 to a campaign be reported,
so the
Web sites ask for name, address, employer, and occupation, as well as credit c
ard num-
ber for online contributions, and often other information," the report states.
"In the past, however, campaigns have been accused of selling or trading the n
ames and
information of their contributors and volunteers for purposes unrelated to the
explicit
reason for which this information was collected," the study continues. "Theref
ore, the
candidates' respect for the privacy of campaign volunteers and donors is an ea
rly test
of their policy, perhaps indicating how high a priority privacy would be in th
e candi-
date's administration."
The group wants candidates to let Web users know whether they intend to sell o
r share
the data collected about volunteers and donors; to let visitors indicate wheth
er they
want their data shared; and to give individuals access to their personal infor
mation
held by the campaign to correct inaccuracies.
http://www.news.com/News/Item/0,4,41255,00.html?st.ne.fd.mdh.ni
------------------------------
1.06 -)Teens plead innocent in hacking case(- 09.03.99
[www.usatoday.com]
Four teen-agers charged with hacking into the computer systems of the Pentagon
, NASA
and the Israeli parliament pleaded innocent Thursday, the lawyer for the alleg
ed ring-
leader said.
Shmuel Tzang said his client, Ehud Tenenbaum, 19, broke no law when he penetra
ted the
Internet sites of American and Israeli institutions because there was no notic
e on the
sites declaring them off-limits.
The other defendants are Guy Fleisher, Ariel Rosenfeld and Rafael Ohana. Their
ages
were not given, but the indictment said they were all born in 1979, making the
m all 19
or 20.
Another defendant, Barak Abutbul, has confessed to helping Tenenbaum break int
o the
computer systems and has agreed to testify against him in exchange for a light
er sen-
tence.
Police have said that Tenenbaum, who used the name ``The Analyzer'' on the Int
ernet,
was the group leader and tutored the others in the unauthorized penetration of
computer
systems.
An Israeli magistrate ordered charges that the teens broke into computer syste
ms of ex-
tremist groups in the United States dropped, and asked the two sides to reduce
their
witness lists by having some people submit affidavits instead of testifying, T
zang
said.
The original list includes 10 U.S. witnesses, mostly FBI agents, who would be
flown in
from the United States at Israel's expense.
Tenenbaum did not address the court as his lawyer entered the plea.
The two sides will return to court Oct. 10 to tell the judge if they were able
to re-
duce the number of witnesses. A trial date has not yet been set.
The defendants face a maximum sentence of three years in prison if convicted.
None are
in custody.
http://www.usatoday.com/life/cyber/tech/ctg016.htm
------------------------------
1.07 -)MicroSoft denies it gives Government access(- 09.08.99
[www.theage.com.au]
Microsoft Corp sought to assure consumers that it did not insert a secret back
door in
its popular Windows software to allow the US government to snoop on their sens
itive
computer data.
The sensational charge of a quiet alliance between Microsoft and the US Nation
al Secur-
ity Agency came after a Canadian programmer stumbled across an obscure digital
``sign-
ing key'' that had been labeled the ``NSA key'' in the latest version of Micro
soft's
business-level Windows NT software.
An organisation with such a signature key accepted by Windows could theoretica
lly load
software to make it easier to look at sensitive data _ such as e-mail or finan
cial re-
cords _ that had been scrambled. The flaw would affect almost any version of W
indows,
the software that runs most of the world's personal computers.
Microsoft forcefully denied yesterday that it gave any government agency such
a key,
and explained that it called its function an ``NSA key'' because that federal
agency
reviews technical details for the export of powerful data-scrambling software.
``These are just used to ensure that we're compliant with US export regulation
s,'' said
Scott Culp, Microsoft's security manager for its Windows NT Server software. `
`We have
not shared the private keys. We do not share our keys.''
The claim against Microsoft, originally leveled by security consultant Andrew
Fernandes
of Mississauga, Ontario, on his Web site, spread quickly in e-mail and discuss
ion
groups across the Internet, especially in those corners of cyberspace where Mi
crosoft
and the federal government are often criticised.
Culp called Fernandes' claims ``completely false.''
An NSA spokesman declined immediate comment.
Bruce Schneier, a cryptography expert, said the claim by Fernandes ``makes no
sense''
because a government agency as sophisticated as the NSA doesn't need Microsoft
's help
to unscramble sensitive computer information.
``That it allows the NSA to load unauthorised security services, compromise yo
ur opera-
ting system _ that's nonsense,'' said Schneier, who runs Counterpane Internet
Security
Inc. ``The NSA can already do that, and it has nothing to do with this.''
Fernandes, who runs a small consulting firm in Canada, said he found the suspi
ciously
named ``NSA key'' _ along with another key for Microsoft _ while examining the
software
code within the latest version of Windows NT.
The existence of the second key was discovered earlier by other cryptographers
, but
Fernandes was the first to find its official name and theorise about its purpo
se.
``That (the US government) has ... installed a cryptographic back door in the
world's
most abundant operating system should send a strong message to foreign (inform
ation
technology) managers,'' he warned on his Web site.
But Fernandes seemed less worried yesterday in a telephone interview.
``I don't know that they have reason to lie,'' he said. ``The main point is, y
ou can't
really trust what they're saying. They've been caught with their hand in the c
ookie
jar. In fact, I think they're being fairly honest, but you don't know what els
e is in
Windows.''
http://www.theage.com.au/daily/990904/news/news50.html
------------------------------
1.08 -)Zyklon admits to invading Government Servers(- 09.08.99
[www.news.com]
A 19-year-old computer cracker with the screen name "Zyklon" pleaded guilty to
day to
attacks involving Web pages for NATO, Vice President Al Gore, and the United S
tates In-
formation Agency (USIA), prosecutors said.
Prosecutors from the U.S. Attorney's Office said Eric Burns of Shoreline, Wash
ington,
also admitted in federal court in Alexandria, Virginia, that he had advised ot
hers on
how to attack the White House Web site in May.
They said Burns faces a maximum possible punishment of five years in prison an
d a
$250,000 fine, and he could have to pay restitution. His sentencing is schedul
ed for
November 19 before U.S. District Judge James Cacheris.
Burns acknowledged that the computer intrusions caused damages exceeding $40,0
00, the
prosecutors said. He admitted to cracking computers in Virginia, Washington st
ate, Lon-
don, and Washington, D.C.
Prosecutors said Burns designed a program called "Web bandit" to identify comp
uters on
the Internet vulnerable to attack. He found that the computer server at Electr
ic Press
in Reston, Virginia, was vulnerable and attacked it four times between August
1998 and
January 1999, they said.
Electric Press hosted the Web pages for NATO, the vice president, and USIA.
Prosecutors said the attacks affected U.S. embassy and consulate Web sites, wh
ich de-
pended on the USIA for information. One attack resulted in the closing down of
the USIA
Web site for eight days, they said.
Prosecutors said Burns attacked the Web pages of about 80 businesses whose pag
es were
hosted by Laser.Net in Fairfax, Virginia; the Web pages of two corporate clien
ts of Is-
sue Dynamics in Virginia and Washington, D.C.; and the University of Washingto
n Web
page.
They said Burns also attacked an Internet service provider in London.
Burns usually replaced the Web pages with his own, which often made references
to "Zy-
klon" and his love for a woman named "Crystal," they said.
The prosecutors said there was an attempt to replace the White House Web page
with one
referring to "Zyklon" and "Crystal" in May. The White House was forced to shut
down the
page for two days, and the computer system was reconfigured.
Although Burns took credit for the attack during an Internet chat session, he
told the
judge he simply had provided advice to others on how to do it, the prosecutors
said.
http://www.news.com/News/Item/Textonly/0,25,41358,00.html?pfv
------------------------------
1.09 -)All eyes on Hotmail Audit(- 09.13.99
[www.wired.com]
Can the Internet industry spank itself? Some are watching the outcome of the l
atest
major Web breakdown to see.
Microsoft has chosen an undisclosed independent auditor to give Hotmail a secu
rity
once-over. As it does so, the company, industry watchdog Truste and privacy ad
vocates
cast the audit as a testament to -- or failure of -- effective self-regulation
.
Following a recommendation last week by Truste, Microsoft went about choosing
an inde-
pendent auditing firm this week to test the security of its free Hotmail email
service.
"We're doing an independent review or audit of the Hotmail incident of last we
ek, which
got lot of attention," said Microsoft spokesperson Tom Pilla.
Hotmail users were confronted with an alarming security breach last week. Hack
ers expo-
sed every Hotmail email account so that anyone who knew a person's username co
uld acc-
ess that account without a password.
"Truste said Microsoft was in compliance and believed [the Hotmail security is
sue] to
be resolved. But we are continuing to investigate that incident completely to
ensure
that the service complies with the high standards we put on consumer privacy,"
Pilla
added.
Truste spokesman Dave Steer emphasized that his organization didn't order Micr
osoft to
hire an auditor; rather, it was a recommendation. Pilla underscored the point.
"They
suggested and we agreed. It's not something we had to do."
So if the agreement was such a non-threatening, voluntary arrangement, does it
stand up
as an effective demonstration of the power of self-regulation?
"Yeah, I think it [does]," Pilla said. "As soon as the incident occurred we [w
ere] in
close coordination with Truste, as we always are on these things."
Last week, Truste took an initial stance that the incident was a security issu
e, not a
privacy matter. But Steer said the organization sees the two issues as connect
ed, and a
Truste statement on the organization's Web site clarifies its position.
"The statement clearly highlights the fact that there's not trust without priv
acy and
similarly there's not privacy without reasonable security of the data being pr
otected,"
Steer explained. "So in some instances, yes -- security and privacy go hand in
hand."
Jason Catlett, a privacy advocate who closely watches the self-regulation issu
e, was
guardedly impressed by the sheer notion of an audit.
"I don't write it off as [a] meaningless act. I'm quite pleased that they have
agreed
to an independent audit. It's a small window opened in the fortress Redmond,"
he said.
But Catlett read hidden meaning in the unprecedented Microsoft decision, and d
oesn't
see it as evidence of self-regulation's effectiveness.
"Basically, [Microsoft] realize[s] that nobody believes a single word they say
anymore,
so they're paying an accounting firm to say things for them."
The nature of this security breach -- a simple function of logging into an ema
il a-
ccount -- made it easier for Microsoft to open up Hotmail for review, Catlett
said.
In contrast, the company's undisclosed use of a unique identifier in Microsoft
Office
documents and Microsoft cookies created during user registration of Windows, h
ad much
broader implications.
Thus, when an audit was badly needed, Microsoft declined.
"Truste didn't do an audit [in that case] so [Catlett's Junkbusters watchdog g
roup]
went to the FTC and asked them to require an audit, and Microsoft just refused
."
This time, "Truste suggested an audit and Microsoft agreed -- this is the cozi
est regu-
lation imaginable," Catlett said.
Pilla disagreed. "I think it's a very good expression of self-regulation," he
said. "I
think our swift response to the Hotmail incident coupled with inviting a third
party
review is evidence of our commitment to protecting people's online privacy."
The legitimacy of the Hotmail audit will depend on the particular security iss
ues the
auditing firm is asked to test. "Management makes some assertion and the actin
g firm
attests to that assertion. If the assertions are very limited, then the conclu
sion [of
the] accounting firm is very limited," Catlett said.
Pilla said he couldn't comment on the specifics of the audit yet. "We don't kn
ow what
the process is, moving forward."
He also wouldn't say whether the public would ever get to review the test cond
ucted by
the auditing firm.
As to skepticism of the self-regulatory process, Truste's Steer said, "We don'
t dictate
where the program is going to go based on the skeptics. We have to take a good
hard
look at what the consumer needs. ... Any reasonable person can take a look at
what's
going on right now and come to their own conclusion. If you ask me personally,
I think
this is an example that the system worked."
Whatever the outcome, it will no doubt be logged into any case histories seeki
ng to
build a case for or against self-regulation.
Pilla said the audit should take "not months but a fairly short amount of time
."
Said Catlett: "They're on a tightrope where they're trying to maintain credibi
lity as a
consumer advocacy organization while still not scaring away potential licensee
s with
any real prospects of sanctions."
http://www.wired.com/news/news/technology/story/21691.html
------------------------------