Microsoft Cracked

Lyserjic seems to have been first with the news. Some linkage: CNET. CNN. AP. MSNBC. BBC. MSNBC's story is a copy of the Wall Street Journal article which apparently broke the news - it's the most complete.What's known - the passwords were being sent to St. Petersburg, Russia. They probably had access for about three months.

Re:Not A Good Thing

Maybe, maybe not.

While I agree with you that this is going to look bad in just about any light, a few things need to be kept firmly in view.

• We do *not* at this point know if the crackers in fact took source code. We know, according to Ballmer, that they did indeed *view* the code. But did they actually get hold of a copy? Without knowing this answer, we can't accurately predict if and how that source code will be distributed to the net.
• Yes, it's true, Microsoft will in all likelihood attempt to spin this as being all the fault of those nasty, evil, commie Open Source people. But is it? The best defense against FUD is the truth, and finding out just who did this, and why, will go a long, long way towards blunting the flood of bullshit that's even now beginning to emit from the general direction of the Pacific Northwest.
• What will Microsoft be able to claim as protection in the event the source *does* get out to the internet? Trade secret status? One of the most important things to come out of all that DeCSS litigation was, if I remember correctly, the statement from the judge that once a trade secret is publicized, no matter how, it's not a secret anymore. What, if anything, can MS use? Copyright violations? Won't hold water if any GNU or other public code is discovered in *their* code. Sure, they might try to invoke the DMCA or something like that, but honestly, what will they be able to prove or accomplish? Once the secret's out of the bag, it's *out* - whether or not that's a good thing.

Yeah, it's for almost damn sure that there's going to be a very, very ugly war of ideologies, rhetoric, and politics resulting from this little stunt. But the key for anyone who opposes Microsoft and its slipshod methodologies which produce, in my not-so-humble opinion, second-rate software, is to keep the debate focused upon the facts and the truth. This exploit was the result of a well-known security issue, one that's been around for months, and one which Microsoft *should* have been able to guard against. This exploit was more than likely the result of a rotten-to-the-core policy decision that allows Outlook to execute arbitrary code with nigh-unfettered access to the operating system internals.

Yes, this hack was probably a very, VERY unwise decision by the culprits. Yes, there will be a truly astounding storm of shit over the matter. But, if Microsoft's opponents play their cards correctly and with a bit of savvy, there can be a world of good which comes out of it, too.

But first, maybe we should all sit back and try to figure out exactly what happened, how it happened, who caused it to happen, and most importantly, why it happened.

If nothing else, that approach will choke off some of these tiresome, pointless accusations and counteraccusations.

Chris Tembreull
Web Developer, NEC Systems, Inc.

Open source in danger

Before everyone here gets into a frenzy of self-important "Micro$oft are lusers" posts, I think it's important to discuss just how bad it would be if they have actually had the source code for their operating systems stolen by these hackers. And not for Microsoft, no, but for people engaged in open source projects like Wine, or people building Windows compatible operating systems.

What are Microsoft going to end up doing? They now have the perfect ammunition to claim that these projects have received help in their tasks from people who are willing to engage in criminal persuits, and that these products have improved as a direct result of this crime. Then, all they need to do is take the creators of Wine to court over this, and hey presto, there goes a project which was making Linux look good against Windows.

Unfortunately, because of the hacker ethos about security and the fact that the ranks of open source programmers already include criminals (Randall Schwartz), judges without any real clue are quite likely to buy this.

Haven't even gotten to SUBTLE Win-security holes..

.. because there have been so many blatant ones. How can anyone say that there isn't a Win32 equivalent of buffer overflows, or string format errors? One of those things they did somewhere down the line for performance was to yank some of the API parameter checking.

But so far, crackers haven't had to look for holes or real problems in the code, because *THE PUBLISHED API, ITSELF CAUSES HOLES*. Windows is still back at the "Morris Worm" days of security, if even that far along. How long ago was that?

Only ROGUE companies, eh....

Other possible motives include economic espionage, though experts said only a rogue company might knowingly buy stolen software, using it either to improve its own products or make those products more compatible with Microsoft's best-selling operating systems.

Well, the article said it all: only BAD companies would want to make products MORE COMPATIBLE with Windoze...

--
Americans are bred for stupidity.

The heart of the problem...

This quote taken from the Yahoo coverage..

"The code could also be purchased by an unscrupulous company looking to make its applications work more smoothly with Microsoft's dominant operating systems"

Who is 'unscrupolous'?, the company trying to improve their software for the greater good of everyone? I think it is the company that won't reveal the source code...the company that has systematically crippled/sabotaged other companies by keeping their 'intellectual' secrets under wraps in an attempt to leverage themselves into any software based market they see fit to at the expense of others.

I think this quote basically sums up the whole open source/closed source debate.....

Guy

Re:Inside job?

Does anyone at all think before they post stuff like this? Just for once can we please not be subjected to the usual moronic childish chants of "microsoft sucks" and "see what happens when you don't run linux" ?

This incident is a simple case of social engineering when you look at it -- it's nothing to do with windows, nt nor any OS security. Some muppet ran an executable program that was sent to him/her and the program emailed some user-priviledge data _legally_ available to any program running in that user's context.

IMO the problem lies in their staff training -- don't run crap in work on a sensitive machine, especially if you've got high-level access via an extranet. Now that isn't too hard to understand, is it?


-- Writing a Haiku
in seventeen syllables
is very diffic

Integrity

From the MSNBC/WSJ article: ``We are confident that the integrity of Microsoft source code remains secure'', a Microsoft spokesman.

Remains? Since when has there been any integrity to MS code?

Re:See what happens when you rely on NT

It's easy to blame NT, or Inoculate IT, but the real culprit is Outlook.

Microsoft's policy of helping users (even their own users apparently) run binaries and scripts from untrusted locations is absolutely insane. Yes, Inoculate IT should have stopped the virus (theoretically), yes, Windows NT should have more protection against attacks, but the key is that Outlook is a trojan fun house waiting to happen.

Unfortunately, for Microsoft anyway, the fix for this type of thing goes far beyond patching some buffer exploits. They instead have to totally re-think how Outlook (and other Internet software) handle untrusted binaries (that probably includes ActiveX).

Re:Open source in danger

They now have the perfect ammunition to claim that these projects have received help in theirtasks from people who are willing to engage in criminal persuits

Would be hard to prove. I can imagine, in such a trial, the defence demoing a 1997 version of wine running Excel 95. (It was unstable, but you could get it to run which is visually important). I.e. "this project has been making an earnest attempt to do a legit clone of the windows functionality for many years now".

open source programmers already include criminals (Randall Schwartz)

I'm sure there are examples of closed-source programmers who are criminals, which you could list in a trial.
(In case anyone doesn't know, Randall's only crime was to get on the wrong side of Intel in Oregon, where the government basically does anything Intel wants. See here [lightlink.com] for details. Please boycott Intel and write to them to tell them you are doing so).

Here's Windows source code

Indeed, Windows source code leaked. Here's a fragment.

voidmain()
{
while(!CRASHED)
{
display_windows_logo();
display_copyright_message();
display_bill_rules_message();
do_nothing_loop();
look_for_new_hardware();
sleep(10);
look_again_for_new_hardware();
scandisk();
if(detect_cache())
disable_cache(); if(first_time_installation)
{
make_50_megabyte_swapfile();
do_nothing_loop();
totally_screw_up_HPFS_file_system();
search_and_destroy_the_rest_of_OS/2();
hang_system();
}
write_something(anything);
display_copyright_message();
do_nothing_loop();
do_some_stuff();
if(still_not_crashed)
{
display_copyright_message();
do_nothing_loop();
basically_run_windows_3.1();
do_nothing_loop();
do_nothing_loop();
}
}
if(detect_cache())
disable_cache_again();/*just to be sure*/

if(fast_cpu())
{
set_wait_states(lots);
set_mouse(speed,very_slow);
set_mouse(action,jumpy);
set_mouse(reaction,sometimes);
}

/*printf("WelcometoWindows3.11");&nb sp;*/
/*printf("WelcometoWindows95");&nbsp ;*/
printf("WelcometoWindows98");
if(system_ok())
crash(to_dos_prompt);
else
system_memory=open("a:\swp0001.swp",O_CR EATE);
while(something)
{
sleep(5);
get_user_input();
sleep(5);
act_on_user_input();
sleep(5);
}
create_general_protection_fault();
}

Re:No Security on a Windows Network

There is no security on ANY network (though Windows is slightly more susceptible to cracks, that's all :-)). If cracking fails, there's always social engineering. You want security, go get a standalone computer. (and don't forget the Tempest shielding -- and the intrusion early-warning system and the leadlined safe.)

Seriously, though... one of the more serious reasons that viruses/trojans spread more easily on Win32/Mac is "user imbecility/gullibility". And one reason (among many others!) why Linux/BSD was considered secure is that (1) users were much more sophisticated, and (2) the OS often compromised on security over 'ease-of-use'.

Today, with Linux (not BSD though (thankfully!)) reaching more and more into the newbie space (I'm just waiting for the first "for-newbies" distro (oh, wait, Corel comes to mind)), how long before something like this happens on a Linux box? Remember, there are a lot of newbies out there running Linux (and also Win2k/NT, for that matter) on their PCs with exactly one user account -- "root"! (or "administrator".)

Re:Inside job?

Looking beyond the fan-boy name calling, there is a serious point behind this.

Microsoft has made a massive virtue of "making hard stuff easy"; underlying a lot of the products coming out of Redmond is the core value of "Trust us to do the hard stuff for you".

In that context, it's commerically damaging to have revealed to the world-at-large that even Microsoft can't rely on Microsoft to do the hard-stuff (security) for it.. And if Microsoft can't rely on themselves why should anyone else?

Not, I hasten to add, that I believe that this incident will have any long-term consequences of this action. I'm waaay too cynical to believe that any good can come of this.

Re:See what happens when you rely on NT

Your naiveté makes me hope you never administer any network I use.

The exact same type of crack could happen on ANY Unix machine, not properly safeguarded. Get an e-mail with a binary attachment, chmod 744 attachment, it runs, displayes a really cool screen hack or small game of some type. It also spawns a child process, but you're probably unaware of this.

This child process sniffs out passwords, because hey, any user account can sniff packets, not just root. People log into other computers, all the while this program gets user acct & password after user acct & password. It then sends out an e-mail to a remote address, listing all these new shiny user names & passwords, what machine they were connecting to, and voila, this cracker suddenly has user accounts. Now he's free to move onto higher level attacks.

Don't fool yourself for a second -- Microsoft's biggest mistake was that it wasn't using a more secure firewall to protect it's local machines - these machines should have been INVISIBLE to the entire internet, only available to MS's intranet.

Re:Well, Ho Ho Ho

This would have happened if they were using Linux, BSD or anything else.

Well, y'd have to be running some program as stupid as Outlook, which runs arbitrary executable attachments, inside your supposedly "clean environment". I can't imagine a competent UNIX sysadmin would set things up this way.

Re:DNS entry also cracked

Jesus christ already, that's not cracking, I'm sick of seeing this "story"!

All those are is host entries under, say, terrorists.net or hackerjack.com.

If you have a DNS that is acting on behalf of registered domains, it's IP address is registered to the registrar so their root servers can point to it.

So if you say you have a DNS server called "microsoft.com.is.secretly.run.by.illuminati.terro rists.net" it will show up there.

So can we agree that there's no "cracking" going on? Sure, it's a neat hack, but I've seen this thing in e-mails, on 4 different web "portals", and now in comments as well. Please, for the love of god, make it stop! :)

Re:See what happens when you rely on NT

This child process sniffs out passwords, because hey, any user account can sniff packets, not just root

Would you care to explain how?

Re:Banks don't use Microsoft

Actually quite a few banks use unix for their core systems. I worked at places which use RS/6000's running AIX.

Gates said "Blame Linux developers!"

"the company couldn't say one way or the other whether source code had been stolen."

In other news, a new build of Wine was released today boasting 100% emulation of the Windows environment at native speeds. When asked to comment, the dev team replied "We could tell you how we did it, but then we'd have to kill you".

(note to morons : go check on freshmeat just in case!)

News Flash from Russia!

St. Petersburg (!AP) -- St. Petersburg police have found the bodies of three young computer experts. The three were found in one of the their apartments, lying on the floor in front of their 486 running SuSE Linux.
"Our police experts stated that they were those who broke into Microsoft's servers and stole large amounts of code", says a police agent via translator. "Experts were able to tell from lengthy headers, pointless libraries, and pointers to nowhere-in-particular that this must be actual code for Windows 2000' successor."
After a preliminary exam, forensic pathologists state that their deaths were all caused by ruptured lungs.
"If I didn't know better, I would think that they would have died laughing", said the pathologist.
One of the police experts who determined that the code was in fact Microsoft's also began laughing uncontrollably, and was rushed to a nearby hospital. He remains in serious condition and on heavy sedatives.

"...we invented Software Theft?" Hear me out...

Y'know, it may not be in the Open Source community's best interests if the source code for MS' OSes gets stolen and released into the wild. Regardless of how sweet the irony looks from here, what kind of influence would it have on the Open Source movement if the first thing people associated with "Open Source" was "Oh, like those gyus who broke into Microsoft and stole their code, right?"

Al Gore has the quote "I invented the Internet" fused to his name. It's been used time and again to demonstrate Gore's penchant for hyperbole, his untrustworthiness as a leader. Many of you probably already know, though, that Gore never actually said that he created the Internet, but rather that he was the key political figure in the early days of funding the Internet (still an inflated claim, but nowhere near as sensational as the other.) Does the fact that he never actually said what countless media outless attribute to him, often as a direct quote, make any difference whatsoever to his image and reputation? Nope. The media and his opponents decided to nail him to the wall with a hyperbole of their own, and with a bit of hard work and luck, it has become Truth. Truth, in that wonderful Orwellian fashion of 'if all official sources report the lie as the Truth, then the lie becomes the Truth, and the truth a lie.'

It wouldn't matter how much you or I knew the truth, much like it doesn't matter that Al Gore never actually said that he invented the Internet. The Sheep and PHBs everywhere will swallow whetever pill they're given, and you can bet dollars to donuts that the story line wouldn't play out in favor of Open Source. If you think it's hard to convince your superiors to utilize an Open Source model now, try and imagine the brick wall you'd hit with your boss' brain automatically substituting "what happened to that stolen MS code" for "Open Source".

For the moderators out there, I'm not saying that I think Open Source is theft, just so that's sufficiently clear. I'm just saying that it's worth considering the damage that the mass media PR monster could do to the Open Source movement, especially in light of the fact that most major media outlets are heavily invested in (and guided by) large, mean corporations. Think about it.

lame media

As always on the occasions when some tech story is big enough to make it into the mainstream media, we get to cringe at their awful attempts to explain things to the general public which they don't understand themselves. I woke up this morning to hear a BBC radio interviewer asking "so what are these source codes? are they like blueprints?"... discussion then proceeded to the topic of could the 'hackers' have planted "a virus or bug"[sic] in Windows? "Yes", said their expert, "and that could be included in every copy of Windows shipped from today!" ARRRRGGGHHHH.

Perhaps this is a UK-only phenomena. Eventually the BBC etc might stop assuming that their audience thinks of computers as huge semi-sentient boxes with spinning tape drives and flashing lights that talk to their operators. Or that Microsoft are the best and only software source in the world. ("How could this happen to Microsoft of all companies?" asked the same interviewer.)

And the use of "hacker"...
/me goes up in a puff of unsmoke.

Re:Inside job?

Think about how many attempts to do this go unrewarded....in any given day. I think about how many scripts and 'sploits I see for *nix machines, and I don't see these kinds of numbers for NT boxes.

Why is it that a *nix box getting compromised = 'Excellent, now we can patch the hole', but an NT machine = their security "sucks"?

My personal opinion is that unix variants are more secure, stable, and so on, but NT is NOT a gaping hole into a given network, just not my 1st choice as a server.

Before the flames abound, my personal server is a linux box, I just didn't agree with this particular statement.

Re:Childish attacks unnecessary

You really need to think before posting. Most of the security compromises you list for Linux are _local_ compromises. That means, you must already have a shell to do them. If you have a shell on Windows, getting root is even easier, unless you have all of the security updates. When NT4 was first released, almost every kernel call did not do proper checking, and you could comprimise security with _any_ kernel call. As far as _network_ security goes, securing Linux is just like securing any other OS - you check the network programs. The way you secure the console is by simply removing unwanted SUID programs. With Windows, you can assume that if someone is at the console or telnetted in (which you _can_ do with the proper software), you should assume they have administrator priviledges. As far as security advisories, most Linux security advisories come from the people developing the code, not from being cracked. This means you get to secure your machine _before_ script kiddies get their hands on things. With NT, the advisories are normally based on someone actually being cracked. Please think before posting, and make sure you understand the topic at hand.

I'm not even trying to say "Linux is better than Windows" with this post. I'm just pointing out that your arguments are comparing apples to oranges (network security to local machine security, and published exploits to theoretical problems).

If I were Ballmer I'd...

order the biggest freakin' code review in history.

If I were a hostile cracker, I wouldn't go the "data hostage" route -- to risky. The police will follow the money.

Instead, posing as an engineer, I'd slip a few buffer overrun vulnerabilities, just where I could use it. Knowing the cruftiness of MS operating systems I'd have my own private back door into any system shipped with Windows for years to come.

Give a man a fish, and he'll eat for a day. Hand a fisherman a crate of hand grenades and he'll catch all the fish in the river.

Childish attacks unnecessary

I'd expected more mature responses to MSFT being hacked than childish attacks either blaming NT like the above post or claiming that MSFT being hacked is good for Open Source like others I've seen. Frankly *nix and Windows are roughly equivalent in default security (except for OpenBSD) and only through the machinations of a good sys admin is either OS properly secured.

For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm [zonelabs.com] is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites [attrition.org]. CERT regularly has more Linux and Unix security advisories [cert.org] than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes [sans.org] has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine [rootshell.com] come up with 84 downloadable exploits for Linux versus 39 for Windows.

The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.



Second Law of Blissful Ignorance

Bad Day for Bill

AVAILABLE - Slightly frazzled security Admin seeks Immediate Position after undertaking imposssible task at unnamed Redmond, WA. employer. Canned due to circumstances beyond control. Will take any offer not relating to windows. Added Plus - Able to interpret arcane source code for popular and possible unintentially Open Source Operating System (you hear that Larry E.?). Used to long hours and sleepless nights, anything's a change for the better. Looking for stock options (in a company that's still gonna be worth something in a month).

Re:See what happens when you rely on NT

This has nothing to do with the OS used. It's an employee who introducedd the Trojan by opening an attachment.

Once again this prooves the weakest link in any security is the human factor.


"When I was a little kid my mother told me not to stare into the sun...

Re:Open source in danger

> Before everyone here gets into a frenzy of self-important "Micro$oft are lusers" posts...

Well, I'm just grateful that no one broke in to www.redhat.com and stole the source for Linux.

Pulleth The Other One, it hath Bells On

Any project started within the last 3 months may be potentially vulnerable to a legal Denial of Service attack, yes.

I refuse, however, to believe that there's a Court of Law in the world that's bone-headed enough to believe that project X, running for Y years and fully documented in that time as an open project (cf WINE [winehq.com]), has benefited from the unrelated, unadvertised and recent breaking out of MS source code.

Come on.. Doom-saying is all fun and games, but please do try and stay within the bounds of reality...

Reichstag Fire

This was PRECISELY my first thought when I read these pieces: this is a staged event for some reason as yet to be revealed.

Of course, as a reluctant user of NT, I *know* it's vulnerable, and the fact this occured doesn't surprise me at all. What IS surprising is we haven't heard more of this coming out of Redmond; it can't be the first time.

I don't think the possibility that this is a way for Microsoft to reign in the Open Source movement is paranoid AT ALL. With M$ having its market share threatened by Open Source stuff, why not create an excuse that the people releasing it are ripping off internal code stolen from M$. Indeed, it makes perfect sense, and it wouldn't surprise me if the lawsuits start flying within 6 months.

I worked at a place where we had REAL break-ins, and the last thing you want to tell your customers is that you've been hacked. The fact that M$ is being so forthright about this--in direct contradiction to the way they typically stonewall against any less-than-flattering news--points to an entirely different motivation than just being honest.

Remember, the people that report these stories have extensive relationships with M$. There can be no doubt that they are spinning this is such a way as to ultimately benefit M$, or any initiative that M$ may find to its liking.

By the wall, Randall is *NOT* a criminal. Yes, he was convicted, but that means about as much as the stain on Monica's dress. Judge for yourself; go here [lightlink.com] for more information.

Redhat Cracked

Durham, Oct 27 -- The linux world is in a tumult today after a report claiming hackers broke into the corporate network of industry leader Redhat. The report, published on the internet by a pseudonymous "BG", purports that "lots and lots" of hackers outside the Durham-based organization have been "stealing intellectual property" from the company for "a whole lot longer than three months." Redhat officials appear to be stonewalling on the issue, responding to questions with a baffled look and the reply, "What the hell are you talking about?"

According to the report, unknown hackers managed to procur a password to Redhat's network servers. They then used the password to download the blueprints to all of Redhat's products. Even worse, the password was circulated widely over the internet, allowing thousands, potentially over a million hackers to repeat the exploit.

One person familiar with the case said it appeared the hackers initially gained access to Redhat's corporate computers by exploiting a hole in the company's "FTP" software. This software is used to transfer files between remote computers. The hackers discovered that the password "anonymous" allowed them access to all of Redhat's intellectual property.

Most damning of the report's accusations is the claim that internal Redhat officers have known about the vulnerability for months, even years, but failed to alert customers or close the security hole.

The breach may have allowed hackers to insert instructions into the blueprints for Redhat's products, including the recently released Redhat Linux 7. One anonymous insider called such practices "common." When asked if they were planning an extensive audit of their code, Redhat officials repeated their reply, "What the hell are you talking about?"

Open Sourcing Windows...

If the hackers release the source into the "wild", we're likely to see a similar situation to DeCSS - anyone who hosts or links to the source code for Windows or any other Microsoft software will have the full force of Microsoft's legal vultures brought to bear upon them.

Wonder if HavenCo [havenco.com] would host it. That would mean a real, live-fire test of SeaLand's sovereignty - if Microsoft can't beat them, then noone has a chance! :-)

D.

Re:Open Sourcing Windows...

First one to submit a patch gets to pick a new default colour for the Screen Of Death...

This is obvious but...

...what in the hell would hackers want with Microsoft's plans? Script kiddies, sure. Crackers, of course. But actual hackers? No self-respecting hacker would ant or need to crib from Microsoft's notes. That would be like copying off the paper of the class idiot.

Re:Inside job?

This may be a case of social engineering, but please don't gloss over the fact that it is Microsoft themselves who have repeatedly and loudly condemned Linux and who still, at this page on their site [microsoft.com] claim the Linux security model is weak. They spend a lot of time, money, and effort to put Linux in an extremely bad light. If they can't secure their own network using their own software, then I seriously question how their user base is to be expected to do the same. This points up how incredibly difficult it is to secure their software, yet they claim it is superior to other models out there.

Also, a quote from their spokesdroid, "We are confident that the integrity of Microsoft source code remains secure." (MSNBC article [msnbc.com]). I'm not so sure I believe them. Can they prove it? Is there any consulting firm in the world not on the Microsoft payroll who will be allowed to study their source to determine that it hasn't been trojaned by Russian subversives (or Steve Jobs or whoever cracked them)? I humbly suggest that from this day forward, there is no guarantee that any newly compiled software or patch hasn't been corrupted. While there's no need for gloating and "moronic childish chants", the fact remains that their source may be compromised and their security through obscurity model does not satisfy even the weakest security policies. This is not a problem we have with Linux or BSD-- which certainly have had holes in them, no denying it. But when you have someone telling you that you should trust them, and please pay mightily for our product, and, yes, you'll just have to trust us that it works the way we say it does (even though we can't seem to keep ourselves secure)-- oh and that Free software that you can obtain for a fraction of the cost and that you are able to review, modify, and share as you will? It sucks.

They do not deserve any leniency whatsoever. Their model is the one that is broken. It is based on trust. They can't buy that with any amount of marketing or legal shenanigans. Trust must be earned. And right now, they get none from me.

More linkages (and details)

More details are available from:

• CBS MarketWatch [marketwatch.com]
• C|Net [cnet.com]
• The Register [theregister.co.uk]
• The BBC [bbc.co.uk]
• Wall Street Journal [wsj.com]
• Basically
• Microsoft [microsoft.com] suspect the access was granted to St Petersburg [beebware.com] (Russia [beebware.com]) computer systems by use of the QAZ Trojan [zdnet.com]. The FBI [fbi.gov] is investigating.
  

Richy C. [beebware.com]
--

Not A Good Thing

No matter how much you think Bill Gates is the anti-christ or hate Windows, this is most assuredly NOT good news. The judges, the lawyers, and the law enforcement that will certainly become involved in this case will look at one point, and one point only: someone broke the law. Know what else? They don't understand you, and they don't care that you want Wine to work better or an Open Source Windows.

In the interest of fairness, let's look at this from their point of view. "Hackers" (does anyone know what this word means anymore?) have been getting a lot of bad press lately. Hacking into Microsoft's site adds fuel to the fire. Stealing Microsoft's code is fanning the flames.

Everyone is making jokes about how insecure MS products are, as if Apache or Slashdot have never been compromised.

Even more worrisome is the opinion of the everyday, ordinary citizen. Some of which have made money off MS stock. Many of which use a computer, but aren't as "in" to them as we are. I bet you lunch that they see stuff like this and feel "insecure". And I guarantee you, when something like Carnivore comes along, the average person will suport it, because it makes, at least in their mind, the online world a safer place.

So laugh now about Microsoft's problem. Joke about an OSS Windows, regardless if they want it or not.

Ladies and Gentlemen, if you're old enough to understand, it's time to realize that this is most assuredly Not A Good Thing.

Disclaimer: MY computer runs Linux/BeOS.

Re:Childish attacks unnecessary

The point is this.

1) Microsoft has complete unrestricted access to there own source

2) Microsoft is a billion dollar company and ALOT (atleast in their eyes) is at stake

3) They have enough money to higher decent security officers

4) These well-paid security officers should of secured the system and network

5) With people hired for the sole purpose of securing the network, the network should be somewhat more secure, no matter what OS they are running.

6) Why are there developemnt/ source code computer even avaiable on the Internet? Anyone every hear of firewall or internal network? Anyone think about just upluging the T1 from the internal network? Anyone think about requiring the security admins to read "Intro to network security"??

I am sorry to say, but this crack looks "so seventh grade or something"

7) Should Microsoft employees know how to use what software they are required to for there job (ie. outlook). Shouldn't of Microsoft employees be educated about basic security?

8) Where is any monitoring? "Hey Network Admin Bob, some ip in russian has been downloading megs of stuff from one of our internal machines? Is that normal?"

Microsoft views the security of there source code as "high value", the see the closedness of their source as their cash cow, yet they let someone 0wnZ them so easy.

I am not saying NT or W2k is more secure than Unix, etc, that is a broad and misleading statement. I am not saying Unix is more secure than NT, that is also to broad and misleading.

What I am saying is that any decent OS (this includes NT, W2K) should of not even had the chance to be owned like this. If there network was setup right, you could have had the most insecure OS running with default uid/pass for admin access and should not be spolitable like this (atleast from the internet).

It boggles the mind.

It not even like a 31337 crack, it is "hey I downloaded all this programs off the internet, you want to 0wnZ M$?"

The problem isn't with what OS it is running, the problem is that 1) the network admins no nothing about security 2) the system admins no nothing about security 3) the users no nothing about secuirty.

Even if they where running a "Ultra Secure" *cough*OpenBSD*cough* OS, if they hook their "important machines with highly classified information" up the the internet, they are just ASKING for trouble...

And someone please explain to me why the SYSTEM ADMIN was checking his email with the ADMIN account on a SECURE MACHINE. Then running an unknown program as ADMIN user!

That is like a unix admin, going to a secure unix box, logging in as root, checking his email with root, then running an unknown program as root, this mind boggles.

Do they people in redmond even know how to use there own dam OS? Maybe they should require all employees to get MSCE or something...

Re:See what happens when you rely on NT

Gee, somebody who GETS IT!

Take a PC, install a default copy of RH 6.2, hook it up to a static IP DSL modem. Come back in a month or two, and you'll find that you have at least 1 or 2 "volunteer" sysadmins!

The difference between NT and Linux is that you are given the control to make Linux VERY secure. You just aren't given the low-level control needed to make NT anywhere NEAR as secure.

It takes time, and extreme attention to detail - bit it CAN be done.

-Ben

Re:See what happens when you rely on NT

They instead have to totally re-think how Outlook (and other Internet software) handle untrusted binaries (that probably includes ActiveX).

It could have been in the attached MS Word .DOC file as well. And anyone who goes to ther MSDN site for various tech info, having to use IE with full ActiveX enabled to make the sites work right, is potentially infected. Or anyone using the MSDN Libraries, including MSVC Help, of recent couple years (which also don't work well without internet connection enabled).

Their whole "vision thing" of hypertext documents which seamlessly integrate your computer (via the MSDN Libraries, including compiler help files) into the Microsoft servers, reporting (if they wish so) anything you look up, any articles you read and for how long, anything you search for, which code samples you extract, ... even without coupling with ActiveX, is a virus/trojan handcrafted for industrial espionage, all by itself.

I wish only Bill Gates' machines and those of the other brains behind the Microsoft all-is-one (or is it one-is-all) "vision" got some of their own medicine.

BTW, I just typed in my first message in here, and this luxuriously spacious /. edit box with its eye pleasing courier font makes Microsoft Notepad seem like an ultra-ergonomic editor from the future. (The only cure for this is to make the web designer here use this exact edit box for three days for all of her editing work; by the second day the edit box would be twice as wide and three times as tall and user could set their own non-fixed pitch fonts. By the third day she would suggest dumping it altogether and using something like Userland's Manila editor [userland.com].)

The "Truth" about who Microsoft really is

Any of you with Unix shell access should try:

whois microsoft.com

also whois aol.com ; whois apple.com ; whois whitehouse.gov

How did they do it? Simple. Whenever you register a nameserver IP address, you have to include a domain name for the nameserver. I think the only thing checked is that the IP address pings and the domain name is part of a real domain.

Re:This isn't good.

I don't care how M$ falls. They've made it clear that they'll stoop to any level to get more cash, but now the shoe is on the other foot. But I would not insert any windows code into a linux app. linux is not the OS of thieves. And that would make linux just as bad as M$.

//rdj

it's *NOT* a very good point

In fact, it's probably the biggest misconception he made.

Relying solely on a firewall is the single biggest mistake a company can make.

True, a proprely configured firewall can make a huge difference, but _real_ security involves securing every machine on the network. A firewall won't fix a problem with bad client (such as Outlook) executing code it's not supposed to. A firewall won't fix a problem with a web/mail/whatever server running behind it.

The bottom line is that if a machine needs to talk to the internet, it _needs_ to be secured, because an improperly written app can make any firewall completely useless.

Update

ST PETERSBURG, Russia: 2000-10-27: In a joint sting operation, Russian police and the FBI made a raid on a downtown apartment today, netting four teenagers they suspect of being behind the Microsoft breakin. Microsoft spokesman Rick Miller applauded the operation, saying that neighbours tipped off the police after noticing strange behaviour from them.

"These were all very bright boys - cheerful, helpful and good at their day programming jobs" said apartment resident Canya Bolyevtis. "But last weekend that changed when they started walking around in a daze after an all-night session, as if they had been exposed to some terribly traumatic thing."

Californian software analyst Rich McGee says the teens were foolish to allow themselves to be exposed to Microsoft source code.
"Here you have some very bright young guys with some Unix experience suddenly coming into contact with the C source for kernel32.dll. I think they were unprepared for the shock."

St. Petersburg police chief Konstantin Bolygubov thanked the public for the information that led to the arrests, saying it was the easiest raid he had done in a long time.
"When we broke down the door, none of them moved," he said. "They were all just staring in horror at the screen of a PC in the corner of the living room."

Open source.. assisted? (well, gpl perhaps..)

What about the claims by some that M$ uses portions of GPL'd code? If that was revealed in the any sources absconded with, could this not work in open source's favor? Granted, M$ will still take the position the material was illegally obtained (probably rightfully so) and try to supress it (fat fscking chance). This could give the free software movement some justifaction for its model and some teeth for any legal wrangling they felt they should do.

just a thought...

Re:Open Sourcing Windows...

It's not against our AUP.

We as a company are not in favor of software
piracy, so we certainly wouldn't help, but if
a customer wanted to host stuff like this, we can't really say it's against our AUP.

(I personally think MS source code would be a
waste of space, a thousand monkeys and all that...)

Read the (full) Wall Street Journal Article

It seems michael has forgotten to include the link to the original article on the Wall Street Journal - it's here - login 'slashdot123' passwd 'slashdot123' [wsj.com]. Very long, comprehensive and insightful.
Richy C. [beebware.com]
--

No Security on a Windows Network

This reminds me very much of a point I have
frequently made to a friend of mine about
the security of his network.

He had claimed that he didn't need to worry about
security because his networking folks had
provided a very secure firewall.

"Really," I said, "Do you have any Windows
boxes on your network."

"Yes," he replied.

"Do they run Outlook?" I inquired.

"Yes," he replied.

"Then why do you bother to run a firewall at all?"

I went on to explain that anyone could infect
Windows boxes behind his firewall via email
(which almost every firewall in the world
is configured to pass). Once infected this
Windows box could subvert his whole network
and tunnel anything it needed back out via
SMTP (we do after all, have examples of
tunnelling IP via SMTP).

My friend thought I was nuts. Seems that something similar happened to Microsoft itself.

Guess I'm not nuts. There is no network
security on a network which has Windows
present.

Win-Win? Not so sure...(Kevin Mitnick)

If it's a outside job and the crackers beat MS' secuity, now the whole world+dog knows that MS software sucks in protecting data.

From all the articles, it looks like this was a Trojan that may have been secreted during the execution of some email attachment. Knowing MSFT, they'll probably spin this as a virus similar to Melissa or ILOVEYOU and the general public will stop blaming them.

After all, no one is calling for their heads after Melissa and ILOVEYOU even though the main reason they caused so much damage is the lack of security built into Outlook and the ease of using Virus Building Script. Instead we'll probably get a lot of hacker crackdowns with this breakin, perhaps another Kevin Mitnick type case where he got reamed for seeing Sun's Solaris source [zdnet.com]. It's very possible to see the culprits doing massive jail time for supposedly causing MSFT zillions of dollars in lost revenue by merely looking at the source like Sun did with Kevin Mitnick. This is especially possible in the current climate of UCITA and the DMCA. I wouldn't consider that a win, would you?

Second Law of Blissful Ignorance

Re:Maybe this is what sunk the Kursk

I've seen some pretty dumb things on Slashdot and I've seen some pretty offensive things on Slashdot, but never a post like this.

This ranks up there with the jokes that came out after the Challenger accident and after Oklahoma City. The Kursk was a tragedy. It may not seem that way to an American, but it shattered the emotions of the Russian people. To further imply that Microsoft had any part in that tragedy is simply childish.

I've always considered the majority of Slashdot readers to be brats, but this goes to show that whatever Microsoft may do to fight the open-source movement, they'll probably win. Why? Because for the most part, it's people like you who make up and support that movement, people lacking any amount of maturity and decency, and for movements to succeed, they must at least be honorable in the face of their enemy.

Just sickening. Whoever moderated this up for being funny should be shot. Mark me down for flamebait or what have you, but the fact remains, many open-source zealots and programmers are simply brats.

Initial breakin was via email trojan

From what the MSNBC article said, the crackers initially got access because some poor MS employee inadvertantly ran a trojan email attachment, then did some sort of password sniffing.

It should now be completely clear that attachment-running programs such as Outlook are dangerous and should not be used by any business which has sensitive data, i.e. any business at all. Any business which jeapordises my personal privacy by using such software is acting negligently, just as if they left their locks unlocked and their safe open at night.

I wish I could say that this marks the beginning of the end of such "back-door enabled" software. However I fear that this will not be the case.

All of a sudden

the earlier story about Wine running Excel and Word [slashdot.org] takes on new meaning.

Re:This is obvious but...

Hackers huh? Hopefully they'll fix some bugs before they give it back.

It's Not too serious ...

It's not as if they stole anything valuable, is it?

Re:Inside job?

If there are so many exploits for Unixes and not NT, why is it that despite an apparent minority [netcraft.co.uk] of servers, there are more defacements [attrition.org] of NT sites?

Besides, as another poster pointed out, if we hear about a vulnerability in an open source OS, whether or not it's Unix-like, we can fix it a lot more easily than with closed-source NT.

Re:Open Sourcing Windows...

we're likely to see a similar situation to DeCSS

How the hell am I going to get all that bloatware on the back of a t-shirt?!

Sounds like a great idea!

Ah, yes, evil hackers from Russia stealing the "software blueprints". Smells like the plot of a James Bond movie.

"And now, Mr. Bond, by altering the blueprints I will be able to take control of every desktop computer on the planet! I'll have an entire cybernetic zombie legion at my disposal!"

"We're one step ahead of you, Smirnoff. Office is a very fragile piece of code. Change even one line and the whole thing will come crashing down like a house of cards. The worst you'll be able to do is crash every computer. And who would be able to tell the difference between that and the way Office normally runs, eh?"

"Curse you, James! Now I'll have to kill you by an incredibly intricate device which you'll no doubt escape. The only way out of your cell is to cross this tile floor. Land mines are hidden under nearly half the tiles. Fancy a game of full-contact Minesweeper, Mr. Bond?"

s/NT/stupidly trojan-enabled software/

Um it was not about NT you fool.

No. It's just about the software which comes with NT and Microsoft sells for NT and everybody uses on NT. An equally stupidly-designed UNIX mail reader would be equally bad. But most UNIX systems don't use such software.

This could be VERY bad

Just what we need. A high-profile company that has decent lobbying skills getting hacked just as we face more and more legislation against hacking.

And this on the hells of the story below about pushing for more UCITA support. crap.