I wouldn't even trust you to speak my weight!

The title today is a phrase from The Hitchhikers Guide to the Galaxy when Ford is expressing his contempt from a particularly irritating speaking computer. However I'm applying this comment, and the contempt with which it was expressed for Microsoft, or at least some subset of employees at that company.

Now granted that Microsoft is a company that many just love to hate and love to poke fun at at every opportunity, but really, this time they have it coming. Today I read a story about Microsoft's latest security blunder, the latest in a never ending series that I am continually reminded of like a lingering oozing sorem every time I get a prompt to download yet another Windows security patch.

The blunder this time rendered their supposedly super secure all encompasing .NET Passport service into just another wide open portal to all my personal information. Fortunately I've never registered anything other than a user name and a MSDN subscription with that service. So at least if someone had hacked my account the only thing they could have stolen was Microsoft's own software.

Now I'm ready to say that all non-proveable software probably has bugs, and quite likely a lot of them. Even the best, most mature software seems to have many lingering bugs, a few per 10K of code or, if you work for NASA maybe a little better. Worse still there's correct code which implements a bad design. Its bad design that often blows the door security systems and encryption systems and security systems are constantly showing up flaws, just think of WEP for one.

This time for Microsoft it was bad design, a bug and really gross ineptitude (you should click on that link if its the only one you click on). It turned out all you had to do to reset the password on any Passport account was to use a URL containing the phrase "emailpwdreset", presumably as a HTTP request parameter. Furthermore the guy who discovered this had sent them about 10 emails detailing the flaw before they did anything about it.

So not only did the design a really, really simple mechanism to reset passwords, and exposed it on a web page, they also made the mechanism externally accessible, failed to put an internal code checks to verify it wasn't being used from outside of Microsoft (like its not hard to hijack a domain name anyway) and finally to add injury to insult, they ignored continued warnings that they had this problem. Oh and even the FCC is pissed off about this one, because of their continued marketing spam saying how perfectly secure Passport is. They may even get fined but probably only $11,000, just what good would that do, it would cost them more than that much to make the press release about the flaw. Perhaps $1 billion might make a difference?

I do hope someone got a serious ass-whopping for designing this system and exposing to the outside world because, like the title says, now I wouldn't trust them to speak my weight, let alone guard my personal secrets. And as for the person who ignored all the warnings that there was a flaw, well Seppuku is probably the only honorable thing for them to do. And the marketing people who continue to endorse their BS security campaigns? Well maybe rip out their tounges and poke them with a pointy stick.

Okay, I forgot, we live in a civilised society so we can't do that kind of thing. Well maybe since they are endangering our national security (I take a guess that a good number of our government workers have Passport accounts that could have been compromised) we could use the infamous Patriot I act to "detain" them indefinitely down in Guantanamo Bay as enemy combatants. That'll teach 'em!