The small group of people believing Web-based e-mail is secure was made even smaller on August 30, when two European Web sites allowed anyone to access MSN Hotmail's 40 million accounts without a password. The sites, in the UK and Sweden, provided a simple form into which anyone could enter a Hotmail login name and then read, delete and forward messages on the Hotmail servers. The problem appears to have been the result of sloppy programming on an outdated section of the site. Essentially, Hotmail was configured to accept any login name as a valid ID, as long as it was sent in a specific URL. As a result, anyone that knew that URL and the user name of any Hotmail customer could access that customer's account.
Once the problem was discovered Microsoft disabled Hotmail for two hours - after which time they pronounced the service fixed. But several hours later the crack sites were working again, so Microsoft briefly shutdown Hotmail again, later explaining they had failed to patch one of the multiple servers involved. Microsoft's spokesman downplayed the breach, saying it was done by someone with a "specific knowledge" of advanced programming languages, even though anyone accessing the account without a password could see just how simple it was. Microsoft also claimed Hotmail was shut down only minutes after the Swedish press notified it of the problem early Monday, when in fact the service was unchanged for some twelve hours - and even then people already logged in to their own account (or anyone else's) could continue using it.
A previously unknown group calling itself Hackers Unite eventually took credit for the problem, saying they only intended to "show the world how bad the security on Microsoft really is." A member of the group claimed that he had been accessing Hotmail accounts for some eight weeks. That particular cracker blamed it on Microsoft's new MSN Passport site, a central place to login to any sites requiring a password. Hackers Unite has now redirected its sites to Microsoft's security page, since the original goal has been reached and an embarrassed Microsoft is scrambling to have Hotmail security audited.

COURT NOTES: The scheduled court session on September 10 came and went without any surprises, with both sides (as always) accusing the other of twisting the facts to make their case. The event, rebuttal to a fact-finding session on August 10 [see NewsSource, Aug. 16(2nd report)], had both sides filing their opinion on the evidence summaries handed in early last month.
In its filing, the Justice Department said Microsoft has "ignored most of the evidence against it" in arguments to the judge and has "mischaracterized much of the evidence that is not ignored." They specifically accused Bill Gates of being dishonest on the stand, referring to his "bizarre" taped claims of never considering Netscape a threat - despite e-mail and other evidence to the contrary.
Microsoft's lawyers in their own filing accused Justice of undermining its case with the testimony presented, then introduced new evidence supposedly showing the computer operating systems market to be thriving. Among the evidence was a copy of Dell's August 9 announcement of supporting Linux and a New York Times report about the wildly successful RedHat Software IPO. Both sides will meet again on Tuesday September 21 to give their closing arguments, with Judge Jackson issuing a preliminary ruling sometime shortly thereafter.

As expected, former SGI CEO Richard Belluzzo has been picked to head Microsoft's Consumer and Commerce Group. Belluzzo, who resigned from his position at SGI (formerly Silicon Graphics) after several consecutive quarters of bad earnings, is expected to finally give a sense of direction to the Consumer and Commerce Group's Internet offerings, MSN and WebTV. He will replace Microsoft oldtimers Brad Chase and Jon DeVaan, who were named as temporary group leaders during the Microsoft reorganization earlier this year. Chase and DeVann will now report to Belluzzo, who himself reports directly to Microsoft President Steve Ballmer. As part of the reassignment, former Consumer and Commerce manager Ben Slivka departed Microsoft to become a director of technology at Amazon.com.

During the conference announcing Richard Belluzzo's new job [see story above], Microsoft President Steve Ballmer said Microsoft will begin offering components of Office through the Internet in the near future. Reportedly, slimmer, trimmer versions of Office components like Excel and Word will be made available directly from Microsoft and several of its current partners, to be downloaded only when needed - similar to applications on demand across a local network. A plan like this has been expected for some time, but was probably pushed to the forefront by Sun Microsystem's announcement that they will do something similar with their recently acquired StarOffice suite.
Ballmer didn't give any details or set any dates for the application hosting service, but Microsoft has been working for some time on a componentized suite known internally as Office 10, and already has several pilot programs for renting software in place. Ballmer also gave no pricing information, but we dare say they won't be giving Office out for free like Sun is with Star. Interestingly enough, if the applications are available through the Internet then they'll also likely be platform-independant, so anyone with a modern Web browser on Linux, OS/2, Unix or a Mac could run the same Office components as Windows users.

During an investigation of the Windows NT security subsystem, Cryptonym scientist Andrew Fernanded discovered something scary buried deep inside Windows. Microsoft includes a feature called the 'CryptoAPI' in Windows 95, 98, NT4 and 2000 so individual programs won't have to do the heavy calculations involved in encrypting data. But as Fernanded discovered, Microsoft forgot to remove the identifying components from one of CryptoAPI's two decryption keys in NT Service Pack 5. The first one that was already identified is used by Microsoft to verify that CryptoAPI system updates are genuine. The second key, called NSAKEY, is apparently there for the US National Security Agency. If the NSA actually had access to it, the key would allow faulty CryptoAPI services to be loaded on a computer without permission, thus making encrypted information decodable.
Following several critical news reports, Microsoft issued a statement confirming the existance of NSAKEY, but said it is only there to "ensure compliance with U.S. export laws," and has not been shared with any government agency or outside company. Whichever way Microsoft intended the key to be used, its existance has actually made those excessively strict encryption laws easier to break; NSAKEY is simple to remove, meaning anyone can replace it with an illegal-strength cryptology service without the approval of Microsoft or the NSA.

While one of IBM's many personalities is giving Windows 2000 its full support, another one is attacking it as being incomplete and unstable. During a briefing at its Research Triangle complex in North Carolina, IBM executives said Microsoft must add a wave of features to Windows 2000 before it will be a viable system. Features like better support for multiple processors, improved clustering features and a more compatible management console. Features that IBM doesn't expect to see until at least the second versions of 2000.
But then at the same briefing, the same executives announced IBM will have half a dozen major products designed for Windows 2000 ready by the time it ships. They then proudly announced the creation of a new division that will work exclusively with Microsoft technology, and said that IBM's current e-Business units will be trained to implement Microsoft's Next Big Thing.

According to an internal memo acquired by the Washington Alliance of Technology Workers and then passed on to the media, Microsoft is telling its managers to reduce their dependency on temporary employees. The note, dated last month, reportedly tells managers working on Windows 2000 to prepare their contract workers to find new work in the near future. It isn't clear if the memo is part of a new company-wide strategy or just preparation for the completion of Win2k, but it appears that Microsoft is finally enforcing a policy requiring temps to wait 31 days after completing a job before returning. That policy was enacted late last year after Microsoft lost a second court battle with former temporary employees [see NewsSource, Nov. 23 '98 (7th report)].

Windows 2000 is looking more and more likely not to ship until next year, since earlier this month Microsoft delayed the operating system's Release Candidate 2 beta by two weeks. On September 3, Microsoft said RC2 would be pushed back from that week until late September, and then delayed Release Candidate 3 until October 27 - meaning RC3 won't be out until at least the first of November. Sources say Microsoft is aiming to release Win2K to manufacturers by Comdex on November 15, but feel that later goal will also slip unless RC3 is an unusually good build. But as we originally said some six month ago, Windows 2000 will not hit retail shelves until at least the beginning of February.

A hacker group claims to have broken into windows2000test.com, a site Microsoft created in order to encourage illegal hacking activity [see NewsSource, Aug. 09 (3rd report)]. The group says it disabled the Windows 2000-based server with a "poison packet" technique; choking it down by sending pieces of information that appeared to be normal size but were actually quite large. A Microsoft spokesman admitted that the trick worked, however he said that the hackers never gained control of the machine and only managed to shut down a guestbook page. The spokesman added that another hacker managed to break in to the server on August 17th, but gave no details.

According to sources, Microsoft is preparing to release Cool, the latest in a long line of Java killers, sometime before the end of October. Cool was proposed last year by Microsoft VP Paul Maritz as 'clean room' Java - technology able to run Java Applets but not using any code from Java itself [see NewsSource, Feb. 22 (4th report)]. But Cool isn't a language in its own right, rather an extension of C++ intended to wean developers from Java. Cool is one of the technologies in Microsoft's Common Object Module + technology, a key part of Windows 2000. After the shipment of Cool, Microsoft will reportedly continue supporting its Java development tools but will no longer actively develop new ones.

At the same time it pushes customers and partners to adopt Windows 2000, Microsoft is having trouble with its own networks running the system. According to an outside technician, every time Microsoft installs Win2k Server on a segment of its own network, that segment slows down significantly. The tech adds that Microsoft's own engineers have yet to figure the problem out, making it unlikely that anyone outside the company that installs Windows 2000 will be able to fix it either. But not to worry, the problem is sure to be solved when Windows 2000 ships, since the last promised release date is some three weeks away.

After announcing its plans to stop supporting NT for the Alpha processor, Compaq received a flood of negative feedback from its customers and resellers. While NT Alpha only accounts for a minuscule 2% of Compaq's Alpha sales, it was as much as 50% of some Compaq partners' business. But even if Compaq executives change their minds and want to resume NT Alpha, Microsoft would have to give permission first, something that isn't considered to be very likely.
NT Alpha sales were particularly high in China, where fifteen percent of the country's Web sites use that system. Compaq is rumored to be working on a buyback program in that country, where companies can trade their copies of NT Alpha in for VMS, Tru64 or Unix, or completely exchange the Alpha hardware for an Intel-based solution. A similar plan is launching in the US, although Compaq won't replace any applications on the platform you choose in either location.

As part of Microsoft's goal to control every cable company in the world, it and AT&T's Liberty Media have formed a joint venture with United Pan-Europe Communications, UnitedGlobalCom's European cable subsidiary. The companies said they aim to explore content and distribution opportunities in Europe, most likely producing a branded version of Microsoft's Internet access service. While everyone involved says there are no plans to purchase United or its parent company, AT&T and Microsoft will together end up owning roughly 15% of the cable operator.

On September 3rd, Sun Microsystems filed two motions in a San Jose federal court asking that an injunction against Microsoft be reinstated. The injunction, forcing Ms to stop shipping its own version of Java earlier this year, was recently overturned by an appeals court because the original ruling was too vague [see NewsSource, Aug. 30 (1st report)].
Now pushed back almost as many times as Windows 2000, Microsoft has again delayed the release of Internet Explorer 5 for the Mac. Microsoft originally had plans to release it shortly after the Windows version in July, but then delayed it until fall, and now says that the release will be no sooner than winter because of "quality control" problems.
The American Society of Magazine Editors has accused Ms of deliberately misleading Web surfers with its long-running 'Daily News' ad campaign. Specifically, ASME says banners running on Forbes.com and other sites mislead readers because they look like editorial content. If the publications are found unethical, they could be expelled from the ASME and made ineligible for major publishing awards.

_{A Real Windows Back Door
'A Flaw Worse Than Melissa'
IE5 flaw makes PCs vulnerable
Microsoft says life's simple
Is MSN Messenger Losing the War?
MS e-village people head for Brighton
Windows 2000 adoption to cost a pretty penny
Slivka latest MS exec to join exodus}