Hotmail hacked, but who's to blame?

1999-07-31

Yes, it is highly embarrasing to Microsoft that their Hotmail service, currently with over 40 million subscribers, was broken into by a bunch of hackers. The fall-out from the incident is, as usual, indicative of Microsoft's reputation, both concerning the security of the Microsoft software that Hotmail runs and the inability of MSN to inform its customers that anything had happened.

The wider issues of this incident are just as telling. First, given the fact that the computer industry has been in existence for at least thirty years, the question must be asked concerning why the so-called global class systems are still open to attack. This boils down, unfortunately, to the global IT community's acceptance of mediocrity: the theory and practice of computer security is well undcerstood, but its implementation is often seen as non-core functionality. Products have come to market too soon, have been rolled out without sufficient attention to security issues and have been left to evolve into the complex morass we now know as "infrastructure". Even today, new versions of operating systems software are released without being properly tested. We all know this but we foolishly accept it as the norm.

In many organisations, clearly including Microsoft, security has become a firefighting exercise: it would appear that concerted attacks are likely to succeed. The Internet has not caused the situation but has exacerbated it, by giving outsiders access to unsuitably configured corporate systems and by providing novices with access to a wealth of up-to-date information about security weaknesses and how to exploit them. All this serves only to undermine Internet confidence - with reason, users are unwilling to risk even their personal credit card details by exposing them to the Web. Despite this, however, companies continue to over-expose themselves by ripping a hole through to the Internet from their private networks, using inadequate security software or poorly configured firewalls as weak protection.

Let's face it, we knew it was a risk to trust Microsoft with our email, just as it would be a risk to trust any organisation. Maybe one day we will be able to sue for breach of trust - this might be locking the door after the horse has bolted, but could force corporations large and small to treat security with the importance it clearly merits.

(First published 31 July 1999)