Volume 2 Issue 15 9/20/99 ** ** ***** * * ** * * *** ** *** ** ** *** ** * ** ** * ** ******** ** **** ******** * ** *** **** ******** *** *** ** * *** * ******** *** * ** **** **** * ** *** ********* * **** ** * *** * ** ** **** ** ** ** **** ** ** ** * *** * ** ** ** ** ** ** ** ** ** ** * * *** ********* ** ** ** ** ** ** ** ** ** * ******* * ** ** ** ** ** ** ** ** ** ** * ****** * ** ** ** ** ** ** ** ** ** ** * * ***** ** ** ** ** * ** ** ** ****** ** * *** * * **** ** * *** *** ** *** * ***** **** ** ******* * ** ** *** *** *** *** ***** * ** http://www.security-source.net/antidote bof_ptr = (long *)buffer; for (i = 0; i < bufsize - 4; i += 4) *(bof_ptr++) = get_sp() - offs; printf ("Creating termcap f1le\n"); printf ("b1tch is Fe3lyn 1t.\n"; ------------------------------ We normally don't do this, but please visit www.security-source.net/lordoak/hka ttmp/ and check out the "Attempted Hack", it is soooo funny! In this issue of Antidote, we have over 750 subscribers and getting more everyd ay! The only thing that we ask of you when you read Antidote, is that you go to: www.security-source.net/popup.html and click on our sponsors. One issue of Antidote takes us about a week to put t ogether and going to our sponsor only takes you about 15 seconds (if that). So please g o visit our sponsor because it is the only thing we ask of you. -)!-- Contents //--(- 0.00 - Beginning 0.01 - What? 0.02 - FAQ 0.03 - Authors 0.04 - Shouts 0.05 - Writing 1.00 - News 1.01 - Extensive security gaps persist in DoD networks 1.02 - Millions of Hotmail accounts Vulnerable 1.03 - MindPhasr arrested for Tampering with Pentagon 1.04 - More depth to the HotMail exploit 1.05 - Presidential candidates' Web sites fail privacy test 1.06 - Teens plead innocent in hacking case 1.07 - MicroSoft denies it gives Government access 1.08 - Zyklon admits to invading Government Servers 1.09 - All eyes on Hotmail Audit 2.00 - Exploits (new & older) 2.01 - http://browse.security-source.net 3.00 - Misc SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or just plane making fun of something or someone. FEAT.S - FEATURED SITES: http://browse.security-source.net http://www.403-security.org http://www.hackernews.com ------------------------------ -)!-- 0.00 - Beginning //--(- 0.01 -)What?(- What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and happenings in the underground world. We aren't goin g to teach you how to hack or anything, but we will supply you with the current inf ormation and exploits. Mainly Antidote is just a magazine for people to read if they ha ve some extra time on there hands and are bored with nothing to do. If you want to rea d a maga- zine that teaches you how to hack etc, then you might want to go to your local book- store and see if they carry '2600'. ------------------------------ 0.02 -)FAQ(- Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions". Please read this before e-mailing us with questions and if the que stion isn't on here or doesn't make sense, then you can e-mail us with your question . > What exactly is "Antidote"? See section 0.01 for a complete description. > I find Antidote to not be shot for the beginner or does not teach you the ba sics, why is that? Antidote is for everyone, all we are basically is a news ezine that comes ou t once a week with the current news, exploits, flaws and even programming. All of t he articles that are in here are recieved second hand (sent to us) and we very rarely edit anyone's articles. > I just found Antidote issues on your webpage, is there anyway I can get them sent to me through e-mail? Yes, if you go to www.thepoison.org/antidote there should be a text box wher e you can input your e-mail address. You will recieve a link to the current Antidote ( where you can view it). > If I want to submit something, are there any 'rules'? Please see section 0.03 for a complete description. > If I submitted something, can I remain anonymous? Yes. Just make sure that you specify what information about yourself you wou ld like to be published above your article (when sending it to us) and we will do wh at you say. > I submitted something and I didn't see it in the current/last issue, why is that? It could be that someone else wrote something similar to what you wrote and they sent it to us first. If you sent us something and we didn't e-mail you back, then you might want to send it again because we probably didn't get it (we respond to all e- mails no matter what). We might use your article in future issues off Antido te. > Can I submit something that I didn't "discover" or "write"? Yes you can, we take information that is written by anyone regardless if you wrote it or not. Well thats it for our FAQ. If you have a question that is not on here or the q uestion is on here and you had trouble understanding it, then please feel free to e-ma il lordoak@thepoison.org and he will answer your question. This FAQ will probably be updated every month. ------------------------------ 0.03 -)Authors(- Lord Oak is the founder of Antidote. Most work was done by him in Vol1 issue s 1-5 and Vol2 issues 1-13. Though, he is no longer with us. OptikNerve Current president of Antidote and security-source.net / thepoison.o rg. Most work being done in Vol2 issues 14+ is done by him. Feel free to e-m ail him at: optiknerve@security-source.net. Duece is the co-founder and co-president of Antidote, some work is done b y him when he comes online. Feel free to e-mail him at: duece@security-so urce.net ox1dation not really an author, just someone that helps us out a lot and we c onsider him as an author! His e-mail address is: ox1dation@security-source. net ------------------------------ 0.04 -)Shouts(- These are just some shout outs that we feel we owe to some people. Some are in dividuals and Some are groups in general. If you are not on this list and you feel that For some reason you should be, then please contact Lord Oak and he will post you on her e and we are sorry for the Misunderstanding. Well, here are the shout outs: Lord Oak EazyMoney OptikNerve Forlorn oX1dation PBBSER lyp0x Like we said above, if we forgot you and/or you think you should be added, ple ase e- mail optiknerve@security-source.net and he will be sure to add you. ------------------------------ 0.05 -)Writing(- As many of you know, we are always open to articles/submittings. We will take almost anything that has to do with computer security. This leaves you open for: -Protecting the system (security/securing) -Attacking the system (hacking, exploits, flaws, etc....) -UNIX (really anything to do with it...) -News that has to do with any of the above.... The only thing that we really don't take is webpage hacks, like e-mailing us a nd saying "www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If you have any questions about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Als o, please note that if we recieve two e-mails with the same topic/idea then we will use the one that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has written about/on this topic so that way you don't waste your time on writing something that won't be published. An example of this would be: If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because he sent it in first. But keep in mind, we might use your article for the next issue! If you have so mething that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and one of us will review the article and put it in Antid ote (if we like it). ------------------------------ -)!-- 1.00 - News //--(- 1.01 -)Extensive security gaps persist in DoD networks(- 08.27.99 [www.fcw.com] Despite countless warnings dating to 1996, the Defense Department's informatio n net- works continue to be plagued by serious security flaws and weaknesses that hav e opened up almost every area of the department to cyberattacks and fraud, according to a new General Accounting Office report. Released today, GAO's report, "DOD Information Security: Serious Weaknesses Co ntinue to Place Defense Operations at Risk," comes just weeks after deputy secretary of Defense John Hamre officiated over the ribbon-cutting ceremony of the Joint Task Force for Com- puter Network Defense. The JTF-CND, which was formed last December, serves as the focal point for DOD to or- ganize the defense of DOD computer networks and systems. When cyberattacks are detect- ed, the JTF-CND is responsible for directing departmentwide defenses to stop o r contain damage and restore DOD network functions operations. The GAO report follows up on more than two dozen reports issued since 1996 tha t have outlined serious security flaws throughout DOD. "DOD has made limited progress in corr- ecting general control weakness we reported in 1996," GAO concluded. "As a res ult, these weaknesses persist across every area of general controls." Security gaps identified in the report include weaknesses in access controls, software development and unauthorized roles and responsibilities for users. According to the report, support personnel working with an unidentified DOD sy stem were able to alter system audit logs, which record all system activity and are a c ritical tool in identifying fraud and unauthorized access. "We found at every location we visited that there was inadequate periodic revi ew of user access privileges to ensure those privileges continued to be appropriate, " the re- port stated. In one case, access authorizations for more than 20,000 users wer e not documented, according to the report. In addition, GAO found that application programmers, including outside contrac tors, "had direct access to production resources, increasing the risk that unauthori zed chan- ges to production programs and data could be made and not detected." On one system, 74 user accounts had privileges enabling them to change program source code without supervisory oversight, the report stated. Speaking to reporters at the task force ribbon-cutting ceremony, Mike Dorsey, a special agent with the Naval Criminal Investigative Service who is working directly wi th the JTF-CND to investigate computer crimes against DOD networks, said unauthorized attempts to access DOD systems are on the rise but that DOD does not have the resources to re- spond to every incident. A spokeswoman for DOD said the department is addressing all the issues contain ed in the report. "We know the department has its work cut out. But we are aggressively pursuing initiatives through a 'defense in depth' strategy," the DOD spokeswoman said. "These changes won't happen overnight, but we are moving ahead as quickly as our reso urce pro- cesses will allow." http://www.fcw.com/pubs/fcw/1999/0823/web-dod-8-27-99.html ------------------------------ 1.02 -)Millions of Hotmail accounts Vulnerable(- 08.31.99 [www.cnn.com] Millions of free Internet e-mail accounts provided by Microsoft's Hotmail serv ice were susceptible to a major security breach that allowed access Monday to users' ac counts. The breach worked via a simple Web address which prompted for a Hotmail userna me. Once the username was entered, the Hotmail account came up and the mailbox was avai lable. The hack opened all accounts tested by CNN Interactive, but e-mail messages co uldn't always be opened. There was no immediate information on how long the breach was active. Shortly after CNN Interactive posted the story, the site was changed to a simple message, "Micro soft rules." Shortly after that, the URL redirected the user to a site for a new We b comp- any. The breach allowed users to read and forward a member's old messages, read new messages and send e-mail in some cases under the name of the user -- assuming the membe r's i- dentity. Hotmail boasts 40 million subscribers. A morning telephone call made to the public relations firm that handles Micros oft's publicity was referred to Microsoft's main number in Redmond, Washington. That call was forwarded by an operator to Microsoft's Corporate Security Desk. "You should send that to abuse@hotmail.com. " said Greg Betcher, at that desk. Erik Barkel, of Stockholm, Sweden, was listed in the domain name directory Int ernic as the administrator for the Web site's domain, but a call to his number did not go through. http://www.cnn.com/TECH/computing/9908/30/hotmail.hack.01/ ------------------------------ 1.03 -)MindPhasr arrested for Tampering with Pentagon(- 08.31.99 [www.nandotimes.com] A teenager said to be the founder of a hacker group called "Global Hell" was c harged Monday with illegally gaining access to a Pentagon computer. The Justice Department announced that Chad Davis, 19, of Green Bay, was arrest ed and charged in a federal complaint with hacking into the U.S. Army computer and ma liciously interfering with the communications system. The complaint said he gained illegal access to an Army Web page and modified t he con- tents. He also was accused of gaining access to an unclassified Army network a nd re- moving and modifying its computer files to prevent detection. http://www.nandotimes.com/technology/story/0,1643,87791-138724-965254-0,00.html ------------------------------ 1.04 -)More depth to the HotMail exploit(- 09.01.99 [www.zdnet.com] It's not the crime, it's the cover-up. Even before it fully closed a hole that left millions of customers' email wide open to prying eyes, Microsoft was already practicing spin control, telling CyberCrime Monday morning that the company had simply fallen prey to an evil genius. "The situation was that there was a hacker who wrote some advanced code to bas ically bypass the Hotmail login process," said Rob Bennett, Microsoft's director of m arketing. "This person did have very specific knowledge of how to write development code , and put up a website apparently that allowed people to put in a user name. "That code does not work anymore and there should be no future attacks from th is per- son." Bennett added. Nobody cracked Hotmail with elite hacking skills. Microso ft screw- ed up. What a relief. We can only hope that the culprit will be swiftly brought to ju stice and pay a high price for using his or her rare skills to attack the Web's leading free e- mail provider. The only problem is that there was no "advanced code," and there was no hacker . Hotmail was vulnerable because of a design error that caused the service to di spense with the formality of verifying passwords for users who logged in through a pa rticular entry point: http://wya-pop.hotmail.com/cgi-bin/start. That entry point had been in wide use since June of 1998, when Michael Nobilio created a piece of free Web code that allowed Hotmail subscribers to log in to their a ccount through other websites. The code prompted users for their account name and pas sword, then passed that information along to Hotmail's login program. It was a popular utility, which could be found on sites all around the Net. At some point, perhaps over a week ago, it became significantly more popular when Hotm ail began ignoring the password field and allowing anyone to access any account with any pass- word. http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2325507,00.html ------------------------------ 1.05 -)Presidential candidates' Web sites fail privacy test(- 09.03.99 [www.news.com] For presidential candidates, there really is no such thing as privacy. But the same could be true for unwitting visitors to their Web sites, according to a new st udy. Many White House contenders are using the Web to rustle up volunteers, campaig n contri- butions, and suggestions. But with all the personal information they are colle cting, only 2 out of the top 11 candidates have privacy statements on the front pages of their Web sites as of late August, according to a new study by the Center for Democr acy and Technology (CDT), a nonprofit public policy group. "Many of the candidates have discussed the importance of privacy for the futur e," Ari Schwartz, CDT's policy analyst, said in a statement. "But their actions within their own campaign speak louder than their words." Representatives for the candidates could not immediately be reached for commen t. Numerous Congress members, the Clinton administration, and the European Union have called for Web sites to disclose their data collection practices and clearly s tate to users how their sensitive personal data will be used. Now CDT is calling on presidential hopefuls to do the same. Citing its report, A First Test: The Candidates and Their Privacy Policies, the CDT sent letters to the c andidates today calling for a swift change in protocol. Vice President Al Gore and Sen. John McCain (R-Arizona) both have posted priva cy poli- cies on their Web sites. That is not surprising; Gore has pushed a so-called e lectronic bill of rights to ensure better privacy protections in the digital age. And as chair of the powerful Senate Commerce Committee, McCain has been a gatekeeper for most Net-rela- ted proposals that pass through Congress. But others are falling short, according to CDT. The group gave the following Republicans "F" grades for the absence of a priva cy state- ment on their sites: Gary Bauer, Pat Buchanan, George W. Bush, Elizabeth Dole, Alan Keyes, and Dan Quayle. Candidate Steve Forbes got a "B" for mentioning privacy on his volunteer page and post- ing a policy on his contribution section. And Sen. Orrin Hatch (R-Utah) landed a "B+" for the privacy statement on his volunteer and donation pages. But Democrat Bi ll Brad- ley got only a "C+" for the sole privacy policy found on his volunteer page. "Election law requires that donors giving over $200 to a campaign be reported, so the Web sites ask for name, address, employer, and occupation, as well as credit c ard num- ber for online contributions, and often other information," the report states. "In the past, however, campaigns have been accused of selling or trading the n ames and information of their contributors and volunteers for purposes unrelated to the explicit reason for which this information was collected," the study continues. "Theref ore, the candidates' respect for the privacy of campaign volunteers and donors is an ea rly test of their policy, perhaps indicating how high a priority privacy would be in th e candi- date's administration." The group wants candidates to let Web users know whether they intend to sell o r share the data collected about volunteers and donors; to let visitors indicate wheth er they want their data shared; and to give individuals access to their personal infor mation held by the campaign to correct inaccuracies. http://www.news.com/News/Item/0,4,41255,00.html?st.ne.fd.mdh.ni ------------------------------ 1.06 -)Teens plead innocent in hacking case(- 09.03.99 [www.usatoday.com] Four teen-agers charged with hacking into the computer systems of the Pentagon , NASA and the Israeli parliament pleaded innocent Thursday, the lawyer for the alleg ed ring- leader said. Shmuel Tzang said his client, Ehud Tenenbaum, 19, broke no law when he penetra ted the Internet sites of American and Israeli institutions because there was no notic e on the sites declaring them off-limits. The other defendants are Guy Fleisher, Ariel Rosenfeld and Rafael Ohana. Their ages were not given, but the indictment said they were all born in 1979, making the m all 19 or 20. Another defendant, Barak Abutbul, has confessed to helping Tenenbaum break int o the computer systems and has agreed to testify against him in exchange for a light er sen- tence. Police have said that Tenenbaum, who used the name ``The Analyzer'' on the Int ernet, was the group leader and tutored the others in the unauthorized penetration of computer systems. An Israeli magistrate ordered charges that the teens broke into computer syste ms of ex- tremist groups in the United States dropped, and asked the two sides to reduce their witness lists by having some people submit affidavits instead of testifying, T zang said. The original list includes 10 U.S. witnesses, mostly FBI agents, who would be flown in from the United States at Israel's expense. Tenenbaum did not address the court as his lawyer entered the plea. The two sides will return to court Oct. 10 to tell the judge if they were able to re- duce the number of witnesses. A trial date has not yet been set. The defendants face a maximum sentence of three years in prison if convicted. None are in custody. http://www.usatoday.com/life/cyber/tech/ctg016.htm ------------------------------ 1.07 -)MicroSoft denies it gives Government access(- 09.08.99 [www.theage.com.au] Microsoft Corp sought to assure consumers that it did not insert a secret back door in its popular Windows software to allow the US government to snoop on their sens itive computer data. The sensational charge of a quiet alliance between Microsoft and the US Nation al Secur- ity Agency came after a Canadian programmer stumbled across an obscure digital ``sign- ing key'' that had been labeled the ``NSA key'' in the latest version of Micro soft's business-level Windows NT software. An organisation with such a signature key accepted by Windows could theoretica lly load software to make it easier to look at sensitive data _ such as e-mail or finan cial re- cords _ that had been scrambled. The flaw would affect almost any version of W indows, the software that runs most of the world's personal computers. Microsoft forcefully denied yesterday that it gave any government agency such a key, and explained that it called its function an ``NSA key'' because that federal agency reviews technical details for the export of powerful data-scrambling software. ``These are just used to ensure that we're compliant with US export regulation s,'' said Scott Culp, Microsoft's security manager for its Windows NT Server software. ` `We have not shared the private keys. We do not share our keys.'' The claim against Microsoft, originally leveled by security consultant Andrew Fernandes of Mississauga, Ontario, on his Web site, spread quickly in e-mail and discuss ion groups across the Internet, especially in those corners of cyberspace where Mi crosoft and the federal government are often criticised. Culp called Fernandes' claims ``completely false.'' An NSA spokesman declined immediate comment. Bruce Schneier, a cryptography expert, said the claim by Fernandes ``makes no sense'' because a government agency as sophisticated as the NSA doesn't need Microsoft 's help to unscramble sensitive computer information. ``That it allows the NSA to load unauthorised security services, compromise yo ur opera- ting system _ that's nonsense,'' said Schneier, who runs Counterpane Internet Security Inc. ``The NSA can already do that, and it has nothing to do with this.'' Fernandes, who runs a small consulting firm in Canada, said he found the suspi ciously named ``NSA key'' _ along with another key for Microsoft _ while examining the software code within the latest version of Windows NT. The existence of the second key was discovered earlier by other cryptographers , but Fernandes was the first to find its official name and theorise about its purpo se. ``That (the US government) has ... installed a cryptographic back door in the world's most abundant operating system should send a strong message to foreign (inform ation technology) managers,'' he warned on his Web site. But Fernandes seemed less worried yesterday in a telephone interview. ``I don't know that they have reason to lie,'' he said. ``The main point is, y ou can't really trust what they're saying. They've been caught with their hand in the c ookie jar. In fact, I think they're being fairly honest, but you don't know what els e is in Windows.'' http://www.theage.com.au/daily/990904/news/news50.html ------------------------------ 1.08 -)Zyklon admits to invading Government Servers(- 09.08.99 [www.news.com] A 19-year-old computer cracker with the screen name "Zyklon" pleaded guilty to day to attacks involving Web pages for NATO, Vice President Al Gore, and the United S tates In- formation Agency (USIA), prosecutors said. Prosecutors from the U.S. Attorney's Office said Eric Burns of Shoreline, Wash ington, also admitted in federal court in Alexandria, Virginia, that he had advised ot hers on how to attack the White House Web site in May. They said Burns faces a maximum possible punishment of five years in prison an d a $250,000 fine, and he could have to pay restitution. His sentencing is schedul ed for November 19 before U.S. District Judge James Cacheris. Burns acknowledged that the computer intrusions caused damages exceeding $40,0 00, the prosecutors said. He admitted to cracking computers in Virginia, Washington st ate, Lon- don, and Washington, D.C. Prosecutors said Burns designed a program called "Web bandit" to identify comp uters on the Internet vulnerable to attack. He found that the computer server at Electr ic Press in Reston, Virginia, was vulnerable and attacked it four times between August 1998 and January 1999, they said. Electric Press hosted the Web pages for NATO, the vice president, and USIA. Prosecutors said the attacks affected U.S. embassy and consulate Web sites, wh ich de- pended on the USIA for information. One attack resulted in the closing down of the USIA Web site for eight days, they said. Prosecutors said Burns attacked the Web pages of about 80 businesses whose pag es were hosted by Laser.Net in Fairfax, Virginia; the Web pages of two corporate clien ts of Is- sue Dynamics in Virginia and Washington, D.C.; and the University of Washingto n Web page. They said Burns also attacked an Internet service provider in London. Burns usually replaced the Web pages with his own, which often made references to "Zy- klon" and his love for a woman named "Crystal," they said. The prosecutors said there was an attempt to replace the White House Web page with one referring to "Zyklon" and "Crystal" in May. The White House was forced to shut down the page for two days, and the computer system was reconfigured. Although Burns took credit for the attack during an Internet chat session, he told the judge he simply had provided advice to others on how to do it, the prosecutors said. http://www.news.com/News/Item/Textonly/0,25,41358,00.html?pfv ------------------------------ 1.09 -)All eyes on Hotmail Audit(- 09.13.99 [www.wired.com] Can the Internet industry spank itself? Some are watching the outcome of the l atest major Web breakdown to see. Microsoft has chosen an undisclosed independent auditor to give Hotmail a secu rity once-over. As it does so, the company, industry watchdog Truste and privacy ad vocates cast the audit as a testament to -- or failure of -- effective self-regulation . Following a recommendation last week by Truste, Microsoft went about choosing an inde- pendent auditing firm this week to test the security of its free Hotmail email service. "We're doing an independent review or audit of the Hotmail incident of last we ek, which got lot of attention," said Microsoft spokesperson Tom Pilla. Hotmail users were confronted with an alarming security breach last week. Hack ers expo- sed every Hotmail email account so that anyone who knew a person's username co uld acc- ess that account without a password. "Truste said Microsoft was in compliance and believed [the Hotmail security is sue] to be resolved. But we are continuing to investigate that incident completely to ensure that the service complies with the high standards we put on consumer privacy," Pilla added. Truste spokesman Dave Steer emphasized that his organization didn't order Micr osoft to hire an auditor; rather, it was a recommendation. Pilla underscored the point. "They suggested and we agreed. It's not something we had to do." So if the agreement was such a non-threatening, voluntary arrangement, does it stand up as an effective demonstration of the power of self-regulation? "Yeah, I think it [does]," Pilla said. "As soon as the incident occurred we [w ere] in close coordination with Truste, as we always are on these things." Last week, Truste took an initial stance that the incident was a security issu e, not a privacy matter. But Steer said the organization sees the two issues as connect ed, and a Truste statement on the organization's Web site clarifies its position. "The statement clearly highlights the fact that there's not trust without priv acy and similarly there's not privacy without reasonable security of the data being pr otected," Steer explained. "So in some instances, yes -- security and privacy go hand in hand." Jason Catlett, a privacy advocate who closely watches the self-regulation issu e, was guardedly impressed by the sheer notion of an audit. "I don't write it off as [a] meaningless act. I'm quite pleased that they have agreed to an independent audit. It's a small window opened in the fortress Redmond," he said. But Catlett read hidden meaning in the unprecedented Microsoft decision, and d oesn't see it as evidence of self-regulation's effectiveness. "Basically, [Microsoft] realize[s] that nobody believes a single word they say anymore, so they're paying an accounting firm to say things for them." The nature of this security breach -- a simple function of logging into an ema il a- ccount -- made it easier for Microsoft to open up Hotmail for review, Catlett said. In contrast, the company's undisclosed use of a unique identifier in Microsoft Office documents and Microsoft cookies created during user registration of Windows, h ad much broader implications. Thus, when an audit was badly needed, Microsoft declined. "Truste didn't do an audit [in that case] so [Catlett's Junkbusters watchdog g roup] went to the FTC and asked them to require an audit, and Microsoft just refused ." This time, "Truste suggested an audit and Microsoft agreed -- this is the cozi est regu- lation imaginable," Catlett said. Pilla disagreed. "I think it's a very good expression of self-regulation," he said. "I think our swift response to the Hotmail incident coupled with inviting a third party review is evidence of our commitment to protecting people's online privacy." The legitimacy of the Hotmail audit will depend on the particular security iss ues the auditing firm is asked to test. "Management makes some assertion and the actin g firm attests to that assertion. If the assertions are very limited, then the conclu sion [of the] accounting firm is very limited," Catlett said. Pilla said he couldn't comment on the specifics of the audit yet. "We don't kn ow what the process is, moving forward." He also wouldn't say whether the public would ever get to review the test cond ucted by the auditing firm. As to skepticism of the self-regulatory process, Truste's Steer said, "We don' t dictate where the program is going to go based on the skeptics. We have to take a good hard look at what the consumer needs. ... Any reasonable person can take a look at what's going on right now and come to their own conclusion. If you ask me personally, I think this is an example that the system worked." Whatever the outcome, it will no doubt be logged into any case histories seeki ng to build a case for or against self-regulation. Pilla said the audit should take "not months but a fairly short amount of time ." Said Catlett: "They're on a tightrope where they're trying to maintain credibi lity as a consumer advocacy organization while still not scaring away potential licensee s with any real prospects of sanctions." http://www.wired.com/news/news/technology/story/21691.html ------------------------------