REDMOND, WA, USA – Microsoft’s .NET Passport login system that they
use for Hotmail and other services has been hit by yet another security
scandal, one that could cost them $2.2 trillion dollars. A very easy
to exploit flaw in their password recovery allowed anybody in the world
to access anybody’s Passport (and hence Hotmail) just by knowing their
login.The Federal Trade Commission asserted last year that future breaches
of security that jeapordize users’ information could face fines of $11
000 per infraction, which would, considering 200 million accounts, add
to $2,200,000,000,000.

For the last year, the only thing
one needed to do to hijack a Hotmail account was type "emailpwdreset"
and your own email address into the right place of a web address, and
voilia, you get an email with a new password. While this had been in
existance since sometime in 2002, emails of "My account’s been
hijacked!" to MSN Support were just being responded to with what
amounted to, "Don’t give out your password then. Go away."
Although Microsoft had been contacted about this security flaw by email,
it wasn’t until it was posted publicly to a security mailing list that
they closed the hole (three hours later.)

It seems users are now starting to
understand Microsoft’s new "Trustworthy Computing" theme.
"I really trust Microsoft," said one system administrator.
"As long as I check every few hours for security patches, my systems
are only vulnerable to publicly known attacks for a few hours every
week or two." Hotmail users in general are warming up to Microsoft
due to this news. "Oh, they fixed another hole that could allow
anyone to take over my account?" asked one Hotmail user. "Well
aren’t they great? Always working hard to make my life better."

Security experts leaped to Microsoft’s
defense. "They’re great! Keep buying their products," urged
one expert who specializes in disaster recovery. Another expert, an
aftermarket security software developer, agreed. "Microsoft is
the most trustworthy email provider I can think of that is supported
by ads and spam, and rhymes with Lycrosoft." We asked one of our
security experts to email us a list of all the reasons why Microsoft
systems and services are secure and trustworthy, but unfortunately each
time we asked, we only received blank emails.

This whole issue brings up the question:
what IS a Microsoft Passport? Microsoft wants it to be where you keep
all your credit card and personal information, allowing you to easily
authorize them to charge things with the minimal of fuss. In reality,
it’s their login system for MSN Messenger and Hotmail. Passports’ login
is an email address, and that’s one’s login for MSN Messenger. (It’s
actually possible to register an @alteringtime.com email as a Passport
for Messenger use, allowing you to be totally Hotmail-free.)

The author of this article doesn’t
use much Microsoft software, but has more free time and money to waste
now so he begins to wish he did.