|E-mail Wes Simonds|
In November we saw a notable event in the history of Microsoft.
I refer, of course, to the public demonstration of Microsoft's ongoing failure to provide adequate security in Passport, often considered the authentication keystone to the company's heralded .NET initiative.
("Initiative," in computer journalism terms, refers to any conglomerate of technologies and business mission statements sufficiently diffuse and nebulous that we can't be sure what they'll mean, what they'll be called, or whether they'll exist two years from now.)
Public reports were that Marc Slemko, a software developer located not far from Microsoft's Redmond, Wash. HQ, put together a unique method of stealing Passport data from users willing to open a Hotmail message. Said data included their credit card numbers.
The technique, it appears, relied on the exploitation of a number of security flaws associated with various Microsoft technologies and working in conjunction with each other. (It would seem Microsoft?s flaws are as interoperable as Microsoft's products.)
Now, one hears of the shortcomings of Microsoft's security technologies on a daily basis, and one has grown jaded by the endless reports of new Office viruses, Outlook worms, IIS hacks, Internet Explorer weaknesses and Hotmail vulnerabilities.
But for Passport -- a central authentication mechanism intended specifically to provide robust and ultra-secure e-commerce -- to fall prey along these lines so readily seems unforgivable. Passport is, after all, purported by Microsoft to be "one easy way to sign in and shop online." The company suggests that we "store information in a .NET Passport wallet that will help you make faster, safer online purchases at any .NET Passport express purchase site."
Claimed Microsoft .NET product manager Adam Sohn: "These are very sophisticated exploits. This isn't just somebody downloading a script from a hacker site and running it."
Slemko, however, is evidently a criminal mastermind in the manner of Lex Luthor or similar, for he claims he required only half an hour to develop his approach in toto.
Perhaps we shouldn't be surprised at this. In 2000, we heard from AT&T, which after conducting an analysis of Passport concluded that it (and, to be fair, other similar services) "carried significant risks" and "must be viewed with suspicion."
This wouldn't be so bad normally -- companies and consumers are always free, of course, to reject services they consider inadequate -- but for the recent release of, and marketing push behind, Windows XP.
XP is nothing if not a tour guide to the power of targeted marketing, and the marketing in this case is usually happening on behalf of Passport. The operating system encourages us to march to the Passport drum early and often, and not always for manifestly obvious reasons.
"You'll need a Passport account if you want to type the letter E" is not a message I have seen yet, but I have great faith Microsoft will roll it into the next rev.
And while Passport accounts may be free to consumers, you can be sure Microsoft is not giving away access to the underlying service to businesses.
So what are we left with here? A large, powerful, incredibly lucrative operation which attempts, through unorthodox means, to solicit protection money from businesses for security services... which turn out not to be secure. Doesn't this sound familiar?
Is Microsoft, then, the Mafia for the rest of us?
Sometimes I wonder.
Perhaps it won't be too many years from now before we see another Department of Justice initiative (I use the word "initiative" deliberately) that will result in a certain Mr. Ballmer testifying in response to questions put to him by the Senate:
Senator: You are an employee of the Genco Olive Oil Company, are you not, sir?
Ballmer: I am.
Senator: But the Genco Olive Oil Company is in fact only a front for... the shadowy underworld empire known as Microsoft, isn't that correct?
Ballmer: No. (Pause.) There is no Microsoft. Microsoft is a myth.
Senator: I see.