Brian's Buzz on Windows has changed its name to the Windows Secrets Newsletter. Get the latest high-tech tricks with a free subscription. Click here to subscribe
  Brian's Buzz on Windows
MAY 22, 2003 - Issue 6

 This issue contains a lot of news about Microsoft upgrades and workarounds and the problems that can occur with the same. But what else would you expect from a newsletter about Windows? Let's dive right in, shall we? --Brian Livingston

TOP STORY - info you need to make Windows work

 Passport flaws let anyone control passwords

By Brian Livingston

Weaknesses in Microsoft's "single sign-in" Passport technology forced the Redmond company early this month to temporarily shut down the ability of Passport users to change their passwords.

One of the newly-discovered flaws permitted anyone to change an existing Passport account's password at will. This gave the intruder the use of any credit-card numbers that had been entered by the original user.

The password change could be accomplished by simply visiting Microsoft's Passport site, Register.Passport.com, and including a user's e-mail address - such as example@hotmail.com - as a parameter in the address bar of the visitor's browser. In response, the Passport site then sent a "change password" link by e-mail to any e-mail address that had been included as a second parameter.

The incredibly simple exploit came to light when security researchers in Pakistan announced it on May 7. The following day, Microsoft disabled the password-change procedure, which had been added to Passport in September 2002. The company then released a bulletin on May 9 saying the problem had been corrected.

I've recommended against using Passport since I revealed in a Sept. 10, 2001, InfoWorld article ("Passport is cracked") that technicians could easily capture passwords from any Passport account holder who used a Windows 9x or Me machine to connect to an ISP.

Numerous experts have found other serious weaknesses. For example, researchers at AT&T Labs warned in a 2000 publication that Passport's redirection of browsers to Microsoft's servers was not protected by SSL (Secure Sockets Layer), again leaving passwords open to inquisitive ISP employees.

In August 2002, Microsoft agreed to settle a complaint filed by the U.S. Federal Trade Commission (FTC) against Passport and its Wallet credit-card payment feature.

  • "Microsoft falsely represented," according to the FTC action, "that it employs reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers' personal information collected through its Passport and Passport Wallet services, including credit card numbers."

One researcher who sounded the latest alarm bells, Qazi Ahmed of PakCERT (Pakistan Computer Emergency Response Team), said in a statement that other issues remain unsolved in Passport. "We were forced to release this information publicly," Ahmed reported, "as these vulnerabilities are actively being exploited in the wild and are some of the most severe vulnerabilities ever found in Microsoft Hotmail/.Net/Passport." He declined to reveal technical details of the other problems because, he said, Microsoft has no fix available yet.

My take? Don't use Passport or enter any credit-card or financial information into it. Unfortunately, this may be difficult for some users. Microsoft requires a Passport account to access several of its services, including Hotmail and technical support for some consumer products. But I'd say you can have a Wallet full of credit cards or you can have a wallet full of credit cards. The choice is yours.

My thanks to reader James Merrill for his help on this topic. To send me more information about this, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

FORWARDING INSTRUCTIONS - news gains value when it's shared

 Please share this information with your colleagues
You're encouraged to refer your friends and colleagues to this free newsletter. Because most e-mail programs don't correctly display a formatted message that's been forwarded, simply call people's attention to the permanent Web address of this issue: BriansBuzz.com/w/030522.

HERE'S A TIP - you'll get a better newsletter if you choose the paid version

You're reading the free version of Brian's Buzz on Windows
Subscribers to the paid version are receiving additional information this week with my views on the most important new Microsoft updates and the best new freeware:
  • Media from some well-known backup programs suddenly won't restore when the latest Windows service pack is installed.
  • Get free memory optimization tools for 9x, Me, 2000, XP, and NT.
  • Play music videos randomly with a new freeware screen saver.
In addition, at least once per calendar quarter, I acquire the rights to worthwhile stuff and allow the paid subscribers to download it for free.

If you make a contribution before June 4, 2003, you'll be sent the full, paid version of this week's newsletter. If you find just one tip this year that saves you time and money, wouldn't that be worth a few bucks?

New payment method: In addition to credit cards, eChecks, and PayPal payments, you can now contribute using paper checks and money orders. Visit the link below, then select "Checks and money orders" to use this option.

To upgrade to the paid version, please visit WindowsSecrets.com/upgrade. Thanks in advance. --Brian Livingston

THE WEIRD WIDE WEB - playing for you the Internet's greatest bits

 Photographs Virtual attractiveness is more than meets the eye
Quick! Look through these photographs of healthy young men and women and choose the one you find the most attractive.

In actual experiments, the people who volunteered to rate the faces were clear that certain ones were much better looking than others. Here's the kicker - each face that was selected as the best was computer generated by morphing all the photographs of the same sex together into one.

The site that conducted these experiments won a European student prize for its project. The work was done in Germany, but the site's English section (see link below) is a perfect translation. There are about a dozen pages, and it's hard for me to choose which one is the most intriguing. Virtual Attractiveness

  
 
BRIAN'S BUZZ ON WINDOWS is edited by Brian Livingston, co-author of Windows 2000 Secrets, Windows Me Secrets, and eight other books. Research Director: Vickie Stevens. Program Consultant: Sean Downing. The newsletter is published twice a month on alternating Thursdays by Secrets Pro LLC, 300 Queen Anne Ave. N. #456, Seattle, WA 98109 USA. Please send no unsolicited packages to this address. Copyright © 2003 by Secrets Pro LLC.

Anyone may subscribe to this newsletter for free by visiting BriansBuzz.com.

To change your delivery address: log in at WindowsSecrets.com/prefs/?a=cP.
To change other preferences: log in at WindowsSecrets.com/prefs.

Subscription help by e-mail (fastest method): Visit WindowsSecrets.com/contact.
Subscription help by facsimile: 206-282-6312 (fax).
Emergency subscription help by phone: 206-282-2536 (24 hours).

To unsubscribe from Brian's Buzz on Windows:
  1. Visit WindowsSecrets.com/unsubscribe; or
  2. If this newsletter is being forwarded to you by an acquaintance, and you don't wish to receive it, ask him or her to stop forwarding it.
All subscribers are covered by my Ironclad Privacy Guarantee:
  1. I will never sell, rent, or give away your address to any outside party, ever;
  2. I will never send you any unrequested e-mail, besides newsletter updates; and
  3. All unsubscribe requests are always honored immediately, period.
 		 
 
Get the latest on Windows.
Brian's Buzz on Windows has changed its name to the Windows Secrets Newsletter. To receive the newsletter twice a month on Thursdays, please enter your e-mail address:
 
For instance: jan@example.com

Tip: To make sure you receive our "welcome" message and your first newsletter, put the following address into your e-mail program's Address Book and any "whitelist" or "approved senders list" it uses: