MSN hackers heaven (fwd)

Brad Dolan bdolan at use.usit.net
Sun Aug 20 10:03:33 PDT 1995




---------- Forwarded message ----------

Subject: The MSN is Hacker Heavan


As most of us are aware, the commercial online services, such as AOL,
Compuserve and Prodigy, represent certain risk to the unsophisticated user.
Unfortunately, the Microsoft Network (MSN) raises the vulnerability of such
users to unprecedented heights.

Key to this vulnerability is the richness and complexity of the MSN/Windows
95 environment.  What is most dangerous is the ability for the author of an
e-mail or (certain) BBS documents to embed "objects" in that document. These
objects can be readily disquised to appear totally benign to the casual user
and be nothing more than MSN navigational aids.  Once double-clicked by the
recipient, these objects can readily infect the recipient's PC with a virus.
Worse, what this object could do is only limited by one's imagination.  It
is worthwhile noting that MSN appears to be migrating to an open
architecture, with the MSN user connecting through the Internet.  If this is
true, there is nothing which prevents an object, once activated, from
transmitting information stored on the user's PC to any other location on
the Internet.

In theory, embedded objects can be interrogated to ensure their validity.
Unfortunately, this interrogation process is not likely to be carried out by
the average user.  Even if it is, the user is not likely to understand what
they are looking at.  It is like warning automobile drivers to look under
the hood of their car before starting it to make sure there is not a bomb
inside.  Most drivers would assume that the odds were with them.  Those that
did check would have no idea what they were looking at.  (At least that's my
feeling when I look under the hood of my car :-).

Microsoft's position appears to be that the MSN user is no more vulnerable
than one who uses a competing system.  I would maintain that this position
is just not true.  With system complexity comes excessive vulnerability.
MSN rates a 9 in complexity.  The other services a 4.

The bottom line: Users of MSN are placing themselves at significant risk.
If one must use MSN, avoid at all cost activating (double-clicking) objects
in e-mail messages and BBS posts.  Sophisticated users may think they know
what they are doing, but it probably won't be long before they are outwitted
by someone who figures out how to totally disguise an object's true purpose.









More information about the cypherpunks-legacy mailing list