This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • Favorite 13 March 2019
      bobjonkman favorited something by lnxw48a1: You go to post, you look it over. It looks okay. Hit "Post" and now there are words missing, words spelled incorrectly, punctuation missing.
    • bobjonkman repeated a notice by lnxw48a1 13 March 2019
      RT @lnxw48a1 You go to post, you look it over. It looks okay. Hit "Post" and now there are words missing, words spelled incorrectly, punctuation missing.
    • New note by bobjonkman 7 March 2019
      If you have an external clock that's transmitted exclusively over an analogue channel, then everyone would hear the beats at the same time (barring speed-of-light transmission times, which is really only a factor if the transmission uses geosynchronous satellites). But if there is any digital transmission then you're back to the same problem. Not everyone […]
    • bobjonkman repeated a notice by lauraritchie 7 March 2019
      RT @lauraritchie @bobjonkman @strangeattractor what if they instead of playing reactively everyone played to a world clock? - people could always record their contributions and video magic can be done with screens in a room and then the one room is streamed.
    • New note by bobjonkman 4 March 2019
      The solution would be to have an analogue connection from end-to-end. But today, even analogue phones are connected to digital switching networks, so you can't even use ordinary landline phones and expect to get no delay. You can get "leased lines" from the phone companies that are analogue end-to-end, but leasing a tuned circuit that […]
    • New note by bobjonkman 4 March 2019
      Performing music together over an Internet connection is next to impossible if there is *any* lag at all. Typically, the lag is caused by short 10-50 millisecond delays for every router hop, at minimum one hop from you to your ISP, another from ISP to Internet Exchange Point (IXP), IXP to my ISP, and a […]
    • bobjonkman repeated a notice by lauraritchie 4 March 2019
      RT @lauraritchie More on the livestreaming dilemma...I need to have the option of multiple participants AT THE SAME TIME - like playing in a band. So maybe the keyboard and drums are in one place (live) and the sax player joins from another country via a link. Does anyone know of a platform that lets […]
    • New note by bobjonkman 3 March 2019
      The duct tape is in very good condition.
    • New note by bobjonkman 3 March 2019
      Test receive, also pls ignore
    • New note by bobjonkman 25 February 2019
      ...and wouldn't you have to include the time to insert 225,000 microSD cards in your laptop, write 256 GBytes to them, and then (after transporting them at about 10 PBytes/second, assuming 6 seconds of flight time), spend more time to insert those 225,000 microSD cards in the other guy's laptop to read those 256 GBytes? […]

What to do about compromised Hotmail passwords

Posted by Bob Jonkman on November 18th, 2010

autoroute à emails

autoroute à emails by Biscarotte

I administer a number of e-mail systems, and I’ve been seeing a lot of spam coming from Hotmail accounts recently. And both friends and clients have been telling me that it’s not them who are sending spam from Hotmail (and ending up in my e-mail systems), their accounts have been hacked. One person asked me:

Is it just Hotmail? What else could I use? Can’t I just change my password?

Changing passwords is only an effective solution if the account was compromised by social engineering, eg. the legitimate user giving out the password in a phishing attempt or other direct means, or if a simple password was guessed or cracked.

There is evidence that Hotmail and Yahoo’s password recovery mechanism is flawed (eg. the Sarah Palin breach), so that malusers can acquire a new password for an account. I don’t think this is happening, because victims are not reporting being locked out of their accounts. Of course, if the service merely sends out the current password then this may be what is happening, and no amount of password complexity will protect the account.

If the passwords were compromised by an automated password cracker then I would expect only simple passwords to be breached, and accounts with strong passwords would be safe. I do not know what kind of passwords were in use by the people who have compromised accounts, but it is likely they were simple passwords.

While I have no evidence, I think the current rash of breaches is due to a more systematic attack by URL munging, or fuzzing the inputs on a POST request, or some other attack vector. These attacks do not require an authenticated login, and in that case no amount of password complexity will provide security either.

I haven’t heard of similar compromised accounts in Gmail, so that may be a suitable alternative for now. I’ve been recommending that people use the mail accounts provided by their ISPs, largely so that they can make use of the ISP’s technical support if their accounts do get compromised. And, of course, if they’re paying their ISP for a mail account then there may be immunity from liability (“My mail account was compromised and I was paying my ISP for security, so all this spam is their fault”).

–Bob.

Update 5 Feb 2012: I retract the first sentence in the last paragraph. E-mail Administrator friends have been telling me that Google Mail is just as vulnerable as Hotmail and Yahoo. Having just read “Hacked!” in The Atlantic I’m convinced the problem of compromised mail accounts is worse than I thought, and that no online providers (especially the “free” ones) adequately protect the e-mail of their users.

autoroute à emails by Biscarotte is used under a Creative Commons by-sa-v2.0 license.

 
Better Tag Cloud