PC World wrote an article about 3 college students who claimed to have ‘hacked’ Microsoft Cardspace, the secure personal information management system for Windows users, (And technically other platforms) and published the article, "Researchers Breach Microsoft’s CardSpace ID technology".
Kim Cameron, Chief Architect of Identity at Microsoft, and the Father of Metadirectory Technology as we know it today, reviewed the purported "breach" and found that the claim didn’t hold water. And it would appear that PC World took them for their word and never really thoroughly investigated/verified the students claims. Taken from Kim’s blog:
I’ve spent a fair amount of time reproducing and analyzing the attack. The students were not actually able to compromise my safety except by asking me to go through elaborate measures to poison my own computer (I show how complicated this is in a video I will post next). For the attack to succeed, the user has to bring full administrative power to bear against her own system. It seems obvious that if people go to the trouble to manually circumvent all their defenses they become vulnerable to the attacks those defenses were intended to resist. In my view, the students did not compromise CardSpace.
The bottom line is that the ‘breach’ is effectively an "inside job". Kim published his response to the PC World/German student’s claim here (http://www.identityblog.com/?p=987) And then he follows it up with another post on "How to set your computer up so that people can attack it".
(http://www.identityblog.com/?p=988)
(I’m sorry – normally I don’t comment on this blog but you really have to see the video (http://www.identityblog.com/wp-content/images/2008/05/Students/Students.html) that Kim created at this link – I found it hilarious. Kim goes through great lengths to demonstrate how ridiculous the ‘breach’ claim ultimately was and tacitly how little verification must have been done before going to press with the article. He could have called his blog entry, "How to undermine your own computer’s security so that other’s can claim to have hacked it and you can get famous in a nationally known publication.")
kurtsh
Kurt Shintaku's Blog 