'

Microsoft's Passport to doom

Munir Kotadia: A security vulnerability in Passport could open the way for the FTC to finish a job that the DoJ started, and remove Microsoft's stranglehold on the IT industry

Another week and yet another Microsoft security vulnerability has emerged -- this time on Passport, which is supposed to be used as a central repository for personal information, including credit card details.

Passport is Microsoft's attempt to create a 'single sign on' system so people don't have to remember hundreds of passwords and usernames in order to go shopping online.

If you have a Hotmail account, then you were at risk, but unless you were naïve enough to trust Passport with your most valuable information, the only danger was that someone might be able to read your private emails -- if they could find them among all the spam.

However, if you have had problems logging into your Hotmail account, or another Passport service, and you had to get a new password or open a new account, there is a chance that you were a victim, without ever knowing.

For some reason, Microsoft decided to use a simple URL for Passport's password change function, which means that if I wanted to break into your Passport account, all I needed to know was your username. I would type a particular URL into my browser and within minutes, your username and password would be sent to an email address of my choice.

From that moment, I would have complete access to your Passport account.

The flaw in Passport was such a fundamental error that it makes me cringe whenever I hear the term "trustworthy computing". How can anyone associated with Microsoft keep a straight face when talking about security?

The day after the flaw was discovered -- and after Microsoft's finest engineers spent 24 hours fixing the problem -- Adam Sohn, product manager for Microsoft's Passport team was speaking with reporters: "[The flaw] was something that slipped through the reviews," said Adam who (I'm sure must have been trying to hold back a huge belly laugh) added: "You live and learn."

A little while ago, Microsoft was slapped on the wrists for putting up adverts that claimed its software would make hackers an extinct species. A judge made the company pull the whole advertising campaign because its claims were a joke.

But the more I think about it, the more it makes sense. Hackers will become extinct because Microsoft 'security' is so simple to penetrate that you don't need a hacker; in fact, a trained chimp would be overqualified.

On Microsoft's Web site, the company says it "takes all reported incidents of security issues very seriously and is committed to keeping our customers informed of developments." Well that makes me feel much better. What this tells me is that when (no questions about 'if') there is a security problem with a piece of bloatware, the boys in Redmond will tell us about it. Not fix the problem or apologise for being incompetent, but just let us know that a problem existed.

Well thanks guys.

In the terms and conditions of Passport, it says: "Microsoft is not responsible for any loss that you may incur as a result of any unauthorised person using your account or your password." So even though its software is flawed, if someone takes advantage of that flaw, Gates and co are not responsible.

There are reports that last August, Microsoft promised the Federal Trade Commission (FTC) that it would tighten up its security -- including Passport. The FTC now has a legal case to fine Microsoft so heavily (£1.4tn) that even Redmond's seemingly bottomless bank account would be emptied. This leaves the FTC in a position to clean up the mess left by the Department of Justice.

When I checked my emails this morning, I found that Symatec had recently carried out a survey of IT directors and found that, given a magic wand, 40 percent of them would eradicate all the software vulnerabilities in their systems. The survey didn't tell me what the remaining 60 percent would eradicate, but I would like to think that it would be Microsofts' stranglehold on the IT industry.

Go on FTC, show some bottle and wave that wand.