Microsoft IIS4 Backdoor Claim Retracted 176
maniack writes: "According to NTBugtraq, the latest reports say that there is no back door in IIS 4.0. As ArsTechnica points out, the story has apparently been blown out of proportion by the press and no security hole exists. " So - anyone know what's /really/ the case? We've got reports from both sides, but it sounds like it's not true now.
Vaporbug (Score:5)
----
Re:Vaporbug (Score:1)
"no security hole exists" (Score:1)
Mike Roberto (roberto@soul.apk.net [mailto]) - AOL IM: MicroBerto
Spoon! (Score:5)
Don't try to fix the bug, for that is impossible. You must realize the truth: there is no bug.
Wasted time (Score:4)
I likes the techie stuff. Gimme!
It's a plot!! (Score:1)
Eh, who knows/cares, really.
It doesn't affect me either way.
But Microsoft bashing is fun at times (Score:1)
My theory (Score:1)
/*--Why can't I find the QNX OS on any warez sites?
* (above comment useless as of 4-26-2000)
*/
why is it there then? (Score:1)
Ahem... (Score:1)
Be thankful you are not my student. You would not get a high grade for such a design
Thanks for the article, Hemos (Score:5)
Restores a lot of faith after the ESR article. And no, I don't mean any of this in a snotty way. Thanks.
As to the real deal, I was under the impression that there really is a hole, just no backdoor, and way less serious than originally thought.
My own quick summary: If multiple web sites are hosted on a NT4/IIS4 server with FrontPage 98 extensions installed, then webmaster A with web authoring permissions on his own site could potentially inappropriately read the .asp (and possibly the global.asa, but no others) files of webmaster B's web site if he knew where they existed on the same server. Note that to be able to do this, user B would have had to have granted user A read permissions (explicitly, or by giving read access to "Everyone") on those files -- otherwise, user A would be unable to read the files.
There's also the buffer overrun, although I don't know if anyone has successfully been able to exploit yet.
Bottom line: Just delete the dang dvwssr.dll. Do not pass GO, just delete it. I don't know a single person still using Visual Interdev 1.0, and even then you'll just lose the "Link View" feature. I could care less if they ever release a fixed version of this nasty DLL.
Cheers,
ZicoKnows@hotmail.com
Wording... (Score:1)
Rainforest (Score:1)
i know linux geeks sometimes get into hype too much, but that is no reaso to use *bad* words in posts (see VA pos above:)
The actual vulernablity. (Score:5)
Ian
Re:Eric Raymond spreads FUD!!! IDIOT!! (Score:1)
Re:But Microsoft bashing is fun at times (Score:2)
for me it was Apple DOS 3.3. What's your point? Does that make it a good OS? Get a clue!
Although, come to think of it, who the heck uses Win2000 anyway? Win98 is more stable.. but that's like comparing the two crappiest bands in the place; which one's better?
I do. And being "based on NT technology", Windows 2000 is FAR superior to Windows 98 in terms of stability. Again, you have NO IDEA what you are talking about. (Of course, Linux is far more stable than both of them, and I use that, too.)
Smells like the Money (Score:3)
-There is nothing to see here, folks, just go on with your business, there is nothing going on here, nothing at all! Can't we all just get alone!
Micro$oft has lots of money (BTW. WTF. Why Isn't
I wonder how much (intangeable costs) will MS pay for this blunder?
But you all thought it was true. (Score:4)
-russ
I have been calm through this... (Score:1)
Alright.. (Score:2)
#1, WTF is that string doing in this dll?
#2, Can Netscape sue for libel?
Re:Spread the Free Speech Word (Score:1)
You're getting out what is now *NON-INFORMATION*, which could have been real information, and might have had an effect if you:
A) hadn't broadcasted it with an unnecessarily hateful and spiteful tone and
B) hadn't spammed the article.
Now you'll get moderated down as redundant in all of your posts, instead of getting rated up as insightful. Conflicting viewpoints are not always moderated down. Rarely in fact, and those that do are brought back up and meta moderation takes care of the moderator. Except when you take your role of "town asshole" and everyone gladly takes a shit on you.
Next time, think your "comment" out a bit better, and make sure you leave the unnecessary "fuck the moderators", "this will be moderated down", preaching to the "Trolls of the world", and calling everyone "linux losers" out and maybe people won't be so quickly repulsed.
Someone who immediately comes off as hostile who rants and raves with only a MINIMALLY apparent reason isn't likely to be taken seriously. You are one of those people. Enjoy, as you may have had a message, but screwed yourself.
Grrrr.... (Score:4)
Sure, *now* we can say it was probably nothing, but for a while, folks running IIS had to be worried, and waste time and money fixing the problem. The problem didn't exist, but because of Microsoft's unreliable history, people couldn't give them the benefit of the doubt.
Dana
Re:"no security hole exists" (Score:1)
Another issue I have with the bug report: one of the previous stories on slashdot claimed that this was a good example of closed source's shortcomings. Why is it that whenever Microsoft's products are found to have bugs in them, everyone in the Open Source community cries out, "See, we told you"? I think some of our credibility is lost when this happens, especially when the backdoor is found to not exist. Another issue is that of fair journalistic reporting. Instead of immediately reporting this "news" like a tabloid, Cnet and whatever other sites that first came out with this report should have actually checked to see if it had any merit before scaring all the webmasters around who are unlucky enough to still use NT. While a respectable site such as slashdot posted the retraction, other sites may not do this and this can harm many consumers.
Microsoft is still recommending to delete the file (Score:1)
The Slashdot/Open Source Agenda (Score:5)
I like Slashdot, let me say this first. I find it informative, insightful, interesting and very often, funny (hey, that's +4!). However I find many things disturbing. From time to time I see the term 'serious journalism' bandied about on Slashdot. I have to state: I don't consider Slashdot serious journalism. I find it a great place to find new and interesting information. I find it a good place to get some really insightful perspectives. But that's really from the Slashdot community. Not from the Slashdot editorial staff. The editorial staff, I think have their own agenda.
Slashdot = Pro-Linux, pro-Open Source, right? Slashdot = Anti-Microsoft. Though it seems to be anti-corporatism, I find that to be less evident.
Many of Slashdot's "celebrities" are Open Source community's big names. It's no secret that Linux and Open Source are the "darlings" of the technology world right now, to some extent. It's also no secret that many of these people have vested interest in companies that base its business on Linux and/or Open Source Software based products.
What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.
What this means to me, in a twisted way (I'll admit it's twisted) is that the Community (I'm lumping Slashdot, Linux and Open Source together, rather unfairly too, I know, but I'm doing it anyway) has become an Open Source Microsoft corporations. Think about it. Here are the parallels:
1. Linux = Windows whatever.
2. Open Source Community = Microsoft Developers.
3. Slashdot (and other places) = Microsoft marketing machine.
I'm sure that are many others. But this is what I could think of.
So in a sense, it is distributed (don't we love that word!) corporatism, to some extent. It's a bit of a stretch there, but I think you may see my point. Just because the vested interest is in a bunch of companies doesn't mean that it's not corporatism. The point of corporatism is bottom-line. I don't think that it's so different in the companies that have products based on open-source.
In all fairness, I believe that Open Source has its roots in for-honest-goodness, but I think that the term has now been used for many self-serving people and companies with an agenda to use it as a marketing term.
And in this respect, the largest target for the Community has always been Microsoft. The Community is competing against Microsoft for market share. The Community hides behind "Open Source" as a Good Thing(tm). I find it extremely distasteful the feeding frenzy of every misstep and mishap of Microsoft. I don't love Microsoft, but I find this kind of behavior turns me off to the Community. And I absolutely believe that many are jumping on this bandwagon to bash Microsoft so that the best alternative to Microsoft, Linux and Open Source based products, will win out so that their own vested interest will make them rich. How disillusioning.
what's this DOS thing? (Score:1)
That was my first computer. After that, I had an Apple //e with Apple ][ DOS 3.3, and later ProDOS.
Hey, I was nerd before nerd was cool. :)
The point is the same...DOS wasn't the first computer for many of us. Even in the cases where it was, is that a sign of it not sucking ass? My first computer was a piece of crap in most ways! I have no allegiance to TI because of that computer, nor will I cut them any slack. I'm an engineer. I rave over the best technology. All else is vanity.
Vuln-dev Plug (Score:5)
Vuln-dev FAQ [securityfocus.com]
We've been discussing this on the the vuln-dev mailing list. Here are the relevent threads:
Has anyone verified whether is is valid? [securityfocus.com]
Re: dvwssr.dll (Has anyone verified whether is is valid?) [securityfocus.com]
So far, concensus is that the hole, as first published by RFP, is a little misleading. It looks like a number of Frontpage servers out there may be misconfigured permission-wise, so that using his code will allow grabbing of .asp files and such off the server. Some folks think that under the same circumstances, the same could be done with a copy of Frontpage.
Now, there is a worse hole that the CoreSDI guys have found:
DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web Servers [securityfocus.com]
It's an unrelated hole, that was inspired by RFP's post.
RFP is a pretty sharp guy, so it's very likely he's onto something. It's possible that he overstated things a bit due to default permissions (which means 90% of the sites ARE vulnerable) but I wouldn't write off his work entirely. There will be more to this story Real Soon Now.
In either case, with two major problems related to the same .dll, and a huge embarassement for MS, you WILL see this file patched. :)
And let's not forget MS's word on the subject:
http://www.microsof t.com/technet/security/bulletin/fq00-025.asp [microsoft.com]
BB
Re:Alright.. (Score:4)
WTF is that string doing in this dll?
It's just a string used for encryption. It could've been anything, but the programmers decided to make it a jab at Netscape.
#2, Can Netscape sue for libel?
Only if they can prove that their engineers are not indeed weenies. In other words, not bloody likely!! ;-)
Cheers,
ZicoKnows@hotmail.com
Re:I'm a troll! Moderate me down! (Score:1)
Most all Microsoft products do not include their source code. Had they inserted a backdoor no one would know, or been able to find out with any relative ease. With opensource, said backdoor would never have been allowed into 90% of *nix systems. (the last 10% are suckers who installed untrustworthy binaries from some punk and run 24/7 as root).
There are some corporations that don't intend to make the best product they can and sell it. They compete viciously, sometimes illegally, to crush competition to the point that they don't have to make the best to make money because they can make lots of money selling something that is far from the best they could do (whew!), since there is (or, has been) no option to turn to. Linux/*BSD, quite simply, is going to be near impossible for them to crush, if it can be crushed at all. Lets hope this forces changes.
Slashdot must be right! Microsoft is an evil corporation which only exists to let people break into your computer and see your pr0n!
Acting like an ass doesn't help you.
Re:Stuffing Linux up your ass is FUN! Ooooohhh.... (Score:1)
The whole market just took a plunge -- after years of clockwork growth. Tech stocks were hit hardest -- particularly recent IPOs, dot-coms, and other computer/IT related stocks. Clearly, interest rates are going to skyrocket, just as all indicators show inflation on the rise. The party's over, folks. It's going to take something earth-shaking (fundamental Fusion/Physics/Science breakthrough) to pull this one out.
Even worse, the recent tech IPOs of RedHat, VA, Caldera, MP3 were started off with unsophisticated "geek" buyers. People who are basically ignorant of anything except the net investing all they had for a quick buck. The institutions quickly followed suit, and everyone bailed out once they saw the peak.
This chump should give it a rest with the Linux bashing, ESR should do his homework before making BS posts, and moderators, KINDLY PULL YOUR HEAD OUT OF YOUR ASS. This guy is either a troll or pathetically ignorant of the stock market, or (most likely) both.
Why "the phrase" is in the DLL (Score:1)
from this note [microsoft.com] on Microsoft's site, it seems that the phrase was being used as an "obfuscation key" for filenames in HTTP requests involving this component (probably using an XOR scheme, or else they would have called it encryption).
Re:Ahem... (Score:3)
-russ
What's happened to Slashdot? [Offtopic] (Score:2)
I'm not talking about the error; the correction was prompt and quick. I'm talking about the Trolls.
We've always had trolls. But now it is just crazy.
What prompts people to behave like this on web forums? Do those of us who don't want trolls, do we need to go elsewhere?
How much fun would it be to Troll a forum no one reads?
Sorry for posting off-topic, Slashdot used to be a much nicer place to visit. I think the threshold has been breached; AC posting must go. Perhaps temporarily.
And I used to be a strong supporter for AC posting too. But the rewards no longer outweigh the problems, not when it is like this.
Whatever will we do?
Re:Alright.. (Score:1)
Re:Wasted time (Score:2)
But if you limit yourself to not saying why the current regime sucks, you have a hard time explaining why you don't suck.
-russ
Re:Ahem... (Score:1)
--
Simon.
sad thing (Score:1)
Such is the order of things today...
Re:Wasted time (Score:1)
remember, slashdot DOES NOT VERIFY news to any great extent. it only reports it.
by the way, even MSHAFT recommended the dll be deleted as soon as possible.
whether you like it or not, it was news, news for nerds. incorrect news, but that was hardly slashdot's fault, considering the above.
Re:But you all thought it was true. (Score:1)
The point could be made (I did not read ESR, I had no urge to read the SAME drivel over again) that with opensource, especially Apache, such flaws are hard to get past the thousands who use/code for it. If programmers A, B, C, D, E, F, G, H, I, and J find programmer K's backdoor, they'll all remove it before it gets major distribution, and if it somehow, by some freak accident makes it out in a release, we'll all be shocked as hell (some Ms trolls will parade it as the fall of opensource), then we'll promptly download the 2k or so of code to patch it (that came with the announcemnet), recompile, and be done with it. Thus the fundamental answer of "No."
First OS (Score:1)
First "home" computer: UCSD P-System on a Sage II hardware. I then moved up to UNIX System V.2 on a Stride 440. I didn't have an IBM compatible PC till the 90's and then only because I could install Linux on it. With the exception of work I don't use MS Windows and even then it's only because they make me. I'm much happier with any UNIX workstation on my desk than I am with a Windows PC.
Re:Thanks for the article, Hemos (Score:1)
Being that said, it's still a point against Microsoft and the "security by obscurity" model. A VERY large point it is also..
NOW I see more clearly why Microsoft is trying their DAMNEDEST to not get their source code opened for the whole world to read. Wouldn't you? =)
Ryan Wyler
Re:Wasted time (Score:2)
What bothered me was not that slashdot got it wrong but that they had an entire article by ESR about how this proves closed source is totally insecure and open source is the cure.
Other news sources reported this but did not hav extensive articles bashing microsoft and imply that microsoft designed the backdoor and placed it in the program.
What slashdot did is sort of like a paper writing an extensive article explaining how the cuban community in miami is evil because they killed Elian rather than give him to his father then writing another article saying that they were wrong and Elian wasn't dead after all.
Re:What's happened to Slashdot? [Offtopic] (Score:1)
If you don't want to do that, ask Rob et. al to have a switch to turn off ACs for you, and maybe have a way to not see posts based on a regular expression that you set up on your prefs page.
Of course the harder everyone tries to get rid of Trolls, the more they will appear. That is their nature, they want to annoy and pester you until you can't stand it anymore. I believe the AMA will be recognizing it as a disease soon, and will hopefully a pill to counter act its affects by 2005. Until then, the AMA are asking that if you see a Troll, to put it out of its (and our) misery, go to any clinic and they will give you a small bat that should do the job, in a crunch, a shovel will do. (no plastic ones though) Detailed instructions accompany the bat.
The unfortunate thing is that we can't just ignore them either, they will simply try harder to get our attention.
Re:The Slashdot/Open Source Agenda (Score:1)
Please engage brain before putting mouth in gear.
Re:Ahem... (Score:2)
There are also bugs/races in open source program that were sitting around for several years. I believe a few months ago there was a exploit for redhat/debian systems that slackware that fixed 2 years before. Right now Lynx has a bunch of races in file creation that won't be fixed because the code is so bad and the authors aren't addressing it. So opensource is not the cure that ESR makes it out to be since not many people with the knowledge of whats happening look at the code they're compiling
Speaking of stuff in source code ... (Score:2)
# cd
# egrep -i "fuck|shit|damn" `find . -name '*.c'` 2>/dev/null
It's quite amusing.. It's there.. but I can guarentee that you will not find an INTENTIONAL security hole in the linux kernel.
Ryan Wyler
Moderate this UP! (Score:2)
The parent to this post is the one post on this entire article that is ACTUALLY RELEVANT and has a lot of meaty, relevant links .
--Joe--
Another "phrase" in another file (Score:1)
Re:Smells like the Money (Score:1)
Linux didn't suffer at all. Now Linux based companies on the other hand...
"Free your mind and your ass will follow"
The Troll Pill [Way Offtopic] (Score:1)
I believe the AMA will be recognizing it as a disease soon, and will hopefully a pill to counter act its affects by 2005.
Get your troll pills here [rose-hulman.edu]. If trolls are playing Vitamins on their boxen, they can't be trolling /. at the same time.
The unfortunate thing is that we can't just ignore them either, they will simply try harder to get our attention.
There is a limit as to how hard they will try. Ignore them hard enough (build enough karma to get the +1 bonus, then browse at 2) and they'll stop trying.
Re:What's happened to Slashdot? [Offtopic] (Score:1)
Trolls kill the readability of this site. Perhaps we should limit the number of posts by any given IP address to 1/10 minutes, the length of time it takes to post something serious. This would not stop the maniacal trolls but slow new trolls and lessen the tendency of people to overreact to (real) trolls starting flamewars.
I wish the sex/grits trolls would leave. The political (VA) trolls are annoying but at least have a real message. 1 post/10 minutes would cut much of that crap out and probably increase the quality of posts in the threads generally.
To the real trolls, keep going! Sometimes you are the only ones presenting the other point of view even if I occasionally get suckered.
Re:Eric Raymond spreads FUD!!! IDIOT!! (Score:1)
Re:What's happened to Slashdot? [Offtopic] (Score:1)
is that microsoft has a lot of their serfs (directly and indirectly) flailing at slashdot to disorganize things, try to keep us apart, try to fragment the core believers in openess.
it sounds crazy at first, but back in 1998 or so MS *did fund* a fake grassroots ("astroturf") campaign to try and drop support for the DOJ in the legislative and executive branches of the US government -- that is, they paid people to send letters in support of MSHAFT to the government, people claiming to be independent of MSHAFT, just another lie in the string...
it's not that far of a stretch to have the serfs come pollute slashdot. the most obvious ones start with "...hey, i don't like MSHAFT either, but..." personally, that when I recognize them
i also read a thoughtful article by someone here about this being an ancient japanese technique when your adversary has an open forum -- send in your clowns to spread hate and misery, to discredit the opponent.
overall, i've come to believe this is the case. this open forum has simply become infested by the opposition, who will post anything to discredit the truth. an oppostion that consists of thousands of programmers and users that are simply "less than" -- that is, unable to see past their own desire to retain dominance and see the necessity to restore sanity to the software industry.
perhaps most ironically, it is microsoft programmers who stand to gain the most from government intervention. they would obtain a wider field of possible employers. why they don't see that...oops, i forgot
anyway, if linux goes down, it won't be the first time brawn beat brains, or wrong beat right, or evil beat good, or the general public chose poorly. there are many instances in history where governments/societies chose *extremely poorly*, even though it seemed right at the time.
personally, i don't think censorship applies to grossly offtopic posts. the "va linux" whiner is pathetic. okay, if there is anyone out there who doesn't realize that the stock market had a major reversal, and va linux/andover/redhat/mp3/SGI all cratered, please....go read the news.
besides, ESR still has 150,000 shares, even if va drops to like $0.50 it's still $75K he didn't have before all this. i fell sorry for the people who really lost out this week -- people depending on 401K distributions, etc. that's really painful.
Re:Thanks for the article, Hemos (Score:2)
While reports focused on a phrase -- "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!" -- which was present in the DLL, that's a red herring, said Cooper, adding that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users..
Then what is this: (Score:3)
Two dlls (dvwssr.dll and mtd2lv.dll) included with the FrontPage 98 extensions for IIS and shipped as part of the NT Option Pack include an obfuscation string that manipulates the name of requested files. Knowing this string and the obfuscation algorithm allows anyone with web authoring privileges on the target host to download any .asp or .asa source on the system. This includes users with web authoring rights to only one of several virtual hosts on a system, allowing one company to potentially gain access to the source of another company's website if hosted on the same physical machine.
If this is true, this is a vulnerability in the environment with multiple users sharing a hosting service (but not with single user as someone probably thought originally).
Anyone disproven this? Or now only vulnerabilities that don't require a local account on the system count as real?
exploit from SecurityFocus page (Score:1)
I hope Microsoft SUES and WINS (Score:2)
It was very easy to verify. As soon as I heard the story, I tried to verify it, by installing IIS, etc, and was unable to.
Looks like the press got suckered in to reporting an urban legend! I hope Bill Gates puts these so-called newspapers out of business for this slanderous coverage.
--- Speaking only for myself,
Re:Alright.. (Score:1)
Can Netscape sue for libel?
Can they prove they're not weenies?
Does that mean that a judge would have to establish a legal definition of what constitutes being a weenie?
I say the MS engineers should challenge the NS engineers to a Nerf battle. Winner take all.
Re:Vaporbug (Score:2)
Re:Ahem... (Score:1)
True, but ESR's main point w.r.t the Weenie issue is that it is very very hard for someone to sneek a backdoor into OSS.
--
Simon
Re:Wasted time (Score:1)
Cooper shot off his mouth to none other than the Wall Street Journal, before posting to his own list. Slashdot even had the story several hours before I got it in the mail. Once the folks on NTBugTraq looked at it, they determined that "netscapeengineersareweenies" was not a password, but did find another exploit concerning this DLL.
While Cooper's list is an important source for NT admins, right now Russ is definately wearing a boob on his head.
As for the facts of the matter, the DLL in question is only needed to support Visual InterDev 1.0 (obsolete), so by all means it should be deleted. Shame on Microsoft for including it in the base IIS product to begin with.
But... (Score:2)
What if they decided to use for their string something like the following: "I've seen a report compiled by private detectives that detail a very sordid private life by Sun CEO Scott McNealy. It appears that various times within the last 24 months, he has forced subordinates, both female and male -- one a 16-year old high school exchange program coder -- into engaging in sexual acts with him under the threat of losing their jobs. Our source indicates that all employees -- some current employees and some who have departed -- were paid off with a secret discretionary fund controlled by Sun's board of directors."
Now, any reporter making something like that up would get their testes sued off, but what if a company purposesly put it into a common library, knowing that it'd be found, just biding time until someone looked at it with a hex editor? Yeah, it's pretty far out there on the realm of possibilities, but I have a hard time believing that a new judge would keep the precedent set by the one you mentioned in such a case.
Cheers,
ZicoKnows@hotmail.com
Re:Incredible Lunacy! (Score:1)
Eric - what have you to say now. All your 'insights' and 'inspirations' are proven wrong Yeah, facts, unlike your posts. When VA Linux hit $300 on opening day, you all blabbed about how important it was for the linux community. You said "it's nice to see that investors get it!". Well, now that VA Linux is a loser to anyone who still owns shares, what does that say? You said investors 'Got It', and I think you are right, they still get it. Linux is nothing. It's not important. It's insignificant. It's 28 and plummeting fast. You guys get all high and mighty whenever there is pro-linux or anti MS news, where is all your comments about this news? Why the silence? Surely it rates as a story since VA Linux was a story whenever there was any other news about it. Go ahead linux losers, moderate me down. Trolls of the world, copy this message, and make sure it's posted 100 times in each article. We'll get the message out regardless of what the moderator queer linux lovers think
Re:Stuffing Linux up your ass is FUN! Ooooohhh.... (Score:1)
Oh wait... lemme guess. You lost money in stocks and now you need a scapegoat.
Stocks are not a lot different from gambling. You win some you lose some. Get over it and stop whining you ninny.
"Free your mind and your ass will follow"
Re:Smells like the Money (Score:1)
Netscape Engineers *are* weenies! (Score:1)
Netscape software sucks. Even Netscape's parent company AOL admits IE is better. After all, when you subscribe to AOL, you get Internet Explorer.
--- Speaking only for myself,
Lets not talk of VA or ESR. (Score:1)
Hmm or better yet how about we all agree to go back to having our own thoughts. Then get back to posting interesting stuff.
MS Bashers: The Religion Exposed (Score:3)
I drive a Honda, and I love my Honda. I do not spend most of my waking hours evangalizing about why Toyotas are inferior cars. I'm content to drive the car I want to drive.
You all have lost sight of the fact that a computer is only a tool. And if your wise, you will put your biases and prejedices aside and use the best tool for the given application!.
Linux [ and open source ]. Is not always the best solution to a given problem.
The hypocrisy of your animosity is enormous. Would you have a PIII650 with 256MB if it wasnt for Windows being directly responsible for expanding the user base of PC's and thereby lowering the prices for everyone ( that includes you Linux user ).
If you do not like it, do not use it. Your energies would be better spent taking care of the problems in your house instead of sweeping them under the rug.
And, in case your curious what my tools of choice are: Win2000 ( which works great ) and BeOS ( which works even better! ).
Re:The Slashdot/Open Source Agenda (Score:4)
It seems whenever anyone starts calling their little group a community everything starts falling apart. Everyone now feels justified in making demans upon everyone else; everyone starts to think in the "mass mind" and it's only a matter of time until the tyrrany of the majority destroys everything. There is no community. There's a slashdot community, I'll give you that, but if slashdot is the primary representative of Free Software, all hope in civilization is lost. Free Software, Open Source, whatever you want to call it, I don't see a community. I see everyone as an individual, all with equal rights, specifically the right to use their software however they god damn want to. So we all share something. Isn't that nice? It doesn't make it a community. It MUSTN'T be a community, or it will destroy itself over the petty demands of "the community."
Now, rant over I think. You can't blame slashdot for this backdoor mishap. They got the story from WSJ and C|Net and whatever other websites published it. We've all complained before that slashdot editors should do some fact checking before posting stories that don't sound credible, but really, if you believe everything you read... things like this really aren't worth complaining about. Relax and shrug it off. No one is infallible.
Man's unique agony as a species consists in his perpetual conflict between the desire to stand out and the need to blend in.
Re:MS Bashers: The Religion Exposed (Score:4)
Microsoft has millions of dollars and a lot of easily convinced people to push their agenda. Linux has people who love it. There is a fundamental difference, some people embrace it, some people ignore it, some just go about their merry lives, hoping things will get better but never doing anything about it.
There was a recent store closing in my town. A bookstore that could no longer compete and was forced to close its doors. Since then, a small awareness has arisen in people that the votes they make with their dollars and their actions help shape the world around them. If the only thing they look at is their own convenience, and their own bottomline, well, then that's how the community crumbles.
If you stick your head in the ground and ignore or dismiss the negaive actions of powerful entities, they will have no recourse but to continue with that course of action, because it's obvious nobody cares. It's the same with your average eight-year old.
Just the tip of the iceberg of a counter rant, and MHO.
--
Re:The Slashdot/Open Source Agenda (Score:2)
Free software and open source just changed the playing field which puts "old-style" (if you can call two decades old) corporations on unstable footing. But they'll adapt; they have to. Meanwhile, the net is wide open and free software corporations have the ball.
Re:Smells like the Money (Score:2)
The headline subtext: Microsoft engineers placed a password in server software that could be used to gain illicit access to hundreds of thousands of Internet sites worldwine.
Microsoft Corp. acknowledged Thursday that its engineers included in some of its Internet software a secret password...
The manager of Microsoft's security-response center, Steve Lipner, acknowledged the online-security risk in an interview...
By using the so-called back door, a hacker may be able to gain access to key Web-site management files, which could in turn provide a road map to such things as customer credit-card numbers, said security experts who discovered the password.
When you have Microsoft calling it a secret password and an online security risk, I guess people figured it was just that. They assume at least Microsoft did look into it before letting their security-response center manager go to the presses. Then ZD and the experts who discovered it were the ones that stretched it to "hundreds of thousands" of servers and that whole credit-card scheme. Everything with these folks has to end in credit card fraud.
This is how I figure people (including ESR) went to calling it a backdoor. But many of the arguments of closed vs open source regarding security/privacy still stand. We have seen things like Blizzard secretly sending [slashdot.org] your email and stuff from the registry when you mis-type the CD key. These sort of things can very easily be put into programs, and there's little way to find out except to sniff and the like (not to mention you'll get sued for disassembling it and other freakin' EULA/reverse-engineering crimes). It could happen in the Linux kernel, GCC, Apache, etc., but of all the thousands of eyes looking at the code, someone will find it quicker than someone will find it in closed programs. Someone will become curious about how a specific piece works, gcc will become more strict and error out, etc. Eventually someone will fall into the malicious code. Then it's snip-snip and it's all good again. Not to mention with many projects using CVS and the like, it's not hard to go back and see just who it was that submitted the code, unlike Microsoft's "as-yet-unidentified person."
Rejoice! Slashdot still kicks ass! (Score:3)
Ah, but the encouraging thing is-- if Slashdot readers consist entirely of backslapping open-source bigots, why was your comment moderated to a +4? Why was the top-rated comment about the `Geek Pride' festival one that said, I think, that meeting Eric Raymond would be `about as enticing as a headwound'? Certainly among the Slashdot Illuminati, there's a strong voice of dissent to the party line.
I get the impression that the majority of the comments you read on Slashdot represent the views of a group of kneejerk reactionary teenagers who, like you do when you're a teenager, are trying to find their niche to fit in. The sometimes heady political atmosphere of Linux advocacy is ideal for this sort of self-definition, gives you something to talk about at parties etc. (but does not, repeat not impress girls, take note. Skateboarding is still good for something. )
Anyhow, I think the guys that run this site do a smashing job of keeping us posted. I don't think they have an agenda, but their attitude, like that of most balanced Linux users, is parallel to Linus' when he said jokingly that the purpose of Linux was to `conquer the world'. Slashdot's stories need to be taken with this sort of tongue-in-cheek comment in mind-- yeah, so MS has a dodgy DLL, big deal we will now inherit the earth bwahahaha... you're hardly meant to take it as serious political commentary. But I think the teeny contingent take it seriously and flood the comments boards with Borg-like efficiency because, well, they're just following a crowd like teenagers do.
Hmmm, bit of a ramble. But you get my drift. I don't think Slashdot is going to be descending into back-slapping hell for a long while, and there are some really incisive, decent comments being moderated up. And let's not let ESR do security reports in future, because although he's written some good essays and software, he does have an annoying habit of posting complete tripe here.
Interesting experiment. (Score:2)
An interesting experiment would be to put a comment in some obscure piece of Linux kernel or utility code, saying "This is a survey. If you find this comment, send a message to whoever@wherever, and don't mention it to anyone. In a year I'll report on how many pairs of eyes have spotted it. (P.S. - Let me know if you only have one eye.)"
--
Re:Eric, we remember (Score:2)
you don't know how much of those ESR (or anyone) sold off
FWIW, Everyone knows how much ESR has sold off: exactly zero shares. He's not allowed to sell any until 6 months after the IPO, which will be in June. At the current rate, VA Linux could be a penny stock by that point, especially after that recent report showing how they were trounced by the competition in the sale of Linux computers. Honestly, by the way that they're dwarfed by the other hardware vendors, companies which are already profitable, what does VA Linux have going for it which would keep this stock from going even lower? They're not looking to turn a profit anytime soon, and today's Wall Street has very little patience for stocks like that.
Cheers,
ZicoKnows@hotmail.com
Re:What's happened to Slashdot? [Offtopic] (Score:2)
send in your clowns to spread hate and misery, to discredit the opponent.
As long as Slashdot continues to post garbage and lies like the ESR article, neither Microsoft nor anyone else needs to send people here to discredit Slashdot -- it's doing a heckuva job on its own.
Cheers,
ZicoKnows@hotmail.com
We'd have read the source (Score:3)
And if there *had* been such a backdoor in Apache, whoever found it could have posted the code rather than just asserting it, so we'd be *right* not to be quick to believe an unsupported assertion.
Bottom Line (Score:2)
Re:But you all thought it was true. (Score:3)
And the perception is sometimes more important than the reality.
However much this turned out to be a false alarm, the fact that it was taken so seriously by so many people (and not just us drooling anti-MS types) is going to be read by the non-technical crowd as a sign that this kind of thing really is possible.
I think the next time a non-US parliment* discusses the issue, you'll find that the discussion has moved from last year's Could this kind of thing be happening? to this year's How do we protect ourselves from this kind of thing?
I suspect this overblown flap will prove to be the last nail in the coffin of closed source software exports. People have just seen the proverbial writing on the wall, and would be fools to wait until they really do get stung before doing something about it. And conveniently, Open Source Software was just on the verge of public acceptance when all this happened.
Rather than saying that this is something that was overblown in a way that never should have happened, the wise should be grateful that it happened and was overblown enough to reach their attention.
I find myself increasingly unwilling to run non-OSS software on my Linux system at home, even though I don't have anything to hide or anything worth stealing. I wouldn't dream of running anything I hadn't compiled myself on a commercial site. And it's not hard to imagine how paranoid the directors of government agencies around the world must be getting about this kind of thing right now.
Someday the alarm will be for real, and serious damage will be done. On that day the users of OSS will be patting themselves on the back for more than just the money they have saved.
~~~~~
* I explicitly exclude the US, not because we don't have a parliment, but because we're way too stupid to let something like basic security stand in the way of supporting American businesses with our purchases.
In fairness I should also note that although OSS seems to be the kind of source code that's getting attention right now, it might also suffice to have "closed" code under a non-disclosure agreement, so long as it was complete enough for you to compile it yourself. (Though even then the non-disclosure would presumably limit the number of pairs of eyes viewing it. Indeed, you would not even know whether you were actually getting the same code that the NDND got, with the result that you would need to scrutinize the whole thing yourself.)
--
Re:DLL roulette (Score:2)
I should have known that. I killed a Windows95 system one time by using the Windows uninstall utility to remove a frickin' $5 game.
--
Re:Smells like the Money (Score:2)
the dark side of the force (Score:2)
Re:Netscape Engineers *are* weenies! (Score:2)
As a web developer I HATE IT. Explorer does NOT correctly support HTML standards, and contains a lot of code that imposes it's own view of how flawed code should be shown, often making up tags as it goes along. I cannot use IE as a development tool because it just flat out does not display HTML correctly! It also is extrodinarily crappy for Javascript debugging.
IE has had the affect of encouraging sloppy HTML coding habits - something that is going to bite the web in the ass when smaller web devices without the horsepower to run large browsers like IE become common.
Slashdot and Agenda (Score:2)
I will state that most Open Source programmers had nothing to do with the feeding frenzy on Slashdot. A few "luminaries" did, but in general they acted upon what information was reported by Microsoft and NTBugTraq. Given that Microsoft itself was calling it a "back door", I can hardly fault ESR for putting out a long essay about the problem.
Finally: To accuse Open Source people of "corporatism" is silly. People who release code under the GPL do so that others *can't* take ownership and hide it from view, which is what corporatism is all about. Yes we get excited when we see our beliefs vindicated, but this has nothing to do with money. It is interesting that many former Microsoft employees, albeit working in other places hundreds of miles away from Redmond, will still defend their former employer, for the exact same reason: pride of ownership. It is "their" product, and they want to tell the world that it's good stuff and that those who criticize it are weenies. No Borg mind-washing required.
About the only lesson we can learn here is that there would have been no story if it were OSS. The Wall Street Journal would have contacted a local security guru, who would have looked at the source code of the module in question, and said "There's no back door there." No story. The only reason there was a story was because only one company had the source code to this module -- Microsoft -- and the Wall Street Journal had to rely on Microsoft's word. And Microsoft was saying it was a back door.
-E
Re: (Score:2)
Re:But Microsoft bashing is fun at times (Score:2)
Microsoft engineers are weenies! (Score:2)
Oh, I love Microsoft's well-developed sense of responsibility and mature approach to the market
So I guess people are backing off because you have to have publishing rights, but the ugly part is that you only have to have publishing rights to one of the virutual hosts on a server to get all of the
I'll have to peruse the Ars Technica comments to see why they don't consider this a back-door.
A valid story (Score:2)
The story is still up in the air as far as I'm concerned. One guy (who, BTW was not the original discoverer of the exploit) is reporting that Microsoft doesn't think there's an exploit.
I want to see some people grab the exploit script (it's on the real bugtraq) and run it against some test servers with valid permissions. Does it work? How invalid do the permissions have to be? Does the Microsoft documentation lead you down the road of "invalid permissions" for settting up virtual hosts?
Many questions need to be answered before this case is closed....
Re:Great SUCKUP Russ Nelson (Score:2)
-russ
Re:Ahem... (Score:2)
-russ
Re:But Microsoft bashing is fun at times (Score:2)
Apple DOS 3.3. Unless you want to count the AppleBASIC in the ][e's ROM as an OS =)
THERE IS A BUFFER OVERFLOW! (Score:2)
Facts:
- IIS w/ option pack HAS a "backdoor" with "netscapeengeniersareweenies" (or something like that).
- It allows every user with access to read all other user's
.asp files. This seems not to be a bug! - I HAVE SEEN IT WORK.
- So as it is would affect mostly web-hosting companies
- BUT, Core-SDI [core-sdi.com]'s Gera and Beto have found a buffer overflow vulnerability.
- It lets ANYBODY on the internet to crash a IIS with mentioned option pack (called a DOS).
- It is demonstrated using a perl script posted on BUGTRAQ [securityfocus.com].
- It seems HIGLY POSSIBLE to use THIS buffer overflow for arbitrary remote code execution.
- I HAVE SEEN IT WORK.
- So as it is affect ALL IIS w/ option pack4 on the net!!!
Notes:Re:I hope Microsoft SUES and WINS (Score:2)
I guess they are part of the irresponsible press and should sue themselves, huh?
.
Torrey Hoffman (Azog)
Re:THERE IS A BUFFER OVERFLOW! (Score:2)
2. Release a sploit that DOS's or executes arbitary code with the buffer overflow that actually works, first time, without having to turn shit off on the server.
If after you do this you see that people don't care. Don't be suprised, they have lived with insecurity for years. But if you pulled this shit in the unix community there would be the same response. "You got a sploit?" "err.. no" "Then we'll get around to looking at the code later"
Re:Who saved Microsoft's ass this time ? (Score:2)
That's the point! (Score:2)
Because we don't have the source to IIS, we couldn't check for ourselves, so when people who we trust more then MS (for good reason - they are somewhat unbiased) made an allergation we believed them.
That's the reason Open Source is better - the security expects (or us) could have checked the source, seen no real hole, retested the scenerio, and seen what was really going on.
Re:MS Bashers: Use the right tool (Score:2)
Precisely. That's why I use *nix -- winbloze has neither grep nor cron.
The above post is insightfull? (Score:2)
Moderate it down, moderate correctly. I have to agreee with the other posts about moderation.. What the hell is going on here. enlighten me on what "If you stick your head in the ground and ignore or dismiss the negaive actions of powerful entities, they will have no recourse but to continue with that course of action, because it's obvious nobody cares. It's the same with your average eight-year old. " means. So it means now if you bust your ass working on linux stuff and some coroporation is still making millions life is good because your not an 8 year old? Gimme a break people. Microsoft is Microsoft, you people BOUGHT there software or COMPUTERS with it on there. You could have bought OS/2, Apples, or even kept the faith in very advanced for its day NeXT Boxes or BeBoxes. The consumer was the one putting there faith in Microsoft. Should we sue mcdonalds because it makes people fat and really taists like shit but the commercials make me buy it or because its the only joint on my bock its now unfair competition and they have to be sued until someone else with another shitty ass hamburger can come back in? My god. CHOICE PEOPLE! you chose a FUCKEN LAWYER to win your battle. Now think about that. You didn't choose NOT to run a Microsoft Product, you chose to waiste money on supporting a government that is just as unruely and unjust as any corporation that exists. Fear the capitalism? them move somewhere else or leave it be. DON'T take my choice! I still run Windows, I still run OS/2, i still use Linux. MY Choice. I didn't support nor write my legislature/senators to sue microsoft, that is BS. I didn't buy a distro because THAT is BS. Buying something that *IS* free for the sake of Support? If the INFORMATION is free, why would you NEED support? If it was intuitive enough, what would be so hard that you need support????? Why should redhat get my money moreso then microsoft? Atleast with microsoft i see Innovative features such as the highly popular portals/email/mapping systems, kick as gaming, ease of use, quick adaptation, forward looking and forward thinking design and gui concepts? I mean for the first time in computer la la land there is consistancy and a huge market.
And we want to distroy that because people are naive and want to accept freedoms and not be forced to choose? Microsoft didnt FORCE windows. Microsoft didn't FORCE anyting. They played the game and the lil boys lost.. wooopideee dooo. They aquired when nescape could have aquired. Why didn't netscape team up with IBM to compete with microsoft? I won't even go any further, as its pointless reall..
Re:But Microsoft bashing is fun at times (Score:2)
Who said Windows 2000 was supposed to do that? I mean, at one time that was Microsoft's story, but no longer. That's why it's called Windows 2000 Professional and Windows 2000 Server. Their will always be WindowsMe and Windows 2000 Consumer...
I use the command-line in Windows for almost everything but dinking with specific file operations
Same here.
And yes, I do know what I'm talking about, I've used Win2000, hardware support? We obviously don't NEED hardware support in this OS, after all we're cool! (Now, on the other hand, Linux is good.. that's actually my main OS..)
Win2k detected every piece of hardware I had, both on my PII 450 desktop (mostly new hardware) and on my old laptop (P133). Of course, I don't have every wiz-bang programmable Speaker/Joystick/Modem/TurboKeyboard/Ethernet/Pri
combo device on the planet, but still...
And Win2k has better hardware support than Linux (sad, but true). Linux rule of hardware: if it just came out yesterday, or if it came out 10 years ago and almost nobody uses it, then there is no support for it.
Re:The above post is insightfull? (Score:2)
Yes, choice. My choice. The fact that I've used computers extensively for 10 years, all but the last one extensively on the Microsoff platform. Recently is has been proven (beyond a shadow of a doubt) that this wasn't because they produced the best software, well, maybe it was the best software, but they cheated to keep it that way. Or should I say the platform upon which it is run. Microsoft stumbled, thanks to IBM's ego, upon the true power over the home PC, it's operating system. Apple had a chance, but kept the shortsighted view and tried to control the hardware too. Hardware is commodity stuff, as it turned out. I believe if fairly obvious now that Operating Systems are the same. Unfortunately the company with a stranglehold on the home PC doesn't think so, AND HAS BROKEN LAWS TO HOLD THEIR POSITION. And in doing so has hurt the consumer. So that's why I'm pissed.
"If you stick your head in the ground and ignore or dismiss the negaive actions of powerful entities, they will have no recourse but to continue with that course of action, because it's obvious nobody cares. It's the same with your average eight-year old. "
Basically it means that if you don't respond to the actions of someone, be they an eight-year old or a billion dollar corportation, they will continue doing the same thing. If someone hurts you, and you want them to stop, the simplest thing is to tell them. If that doesn't work, you tell other people too. Unfortunately in this situation M$ has been able to squeeze so much money out of the market, that they can state their position whenever and wherever they want. I don't have that option, so I rant here.
You could have bought OS/2, Apples, or even kept the faith in very advanced for its day NeXT Boxes or BeBoxes.
Yes, I could have, unfortunately every program that comes out has a cute little Window on the package. The OS is just the foundation, a foundation with no buildings is a useless. Microsoft used every tactic it could to keep people from building on other's foundation, because they know the only real money comes from owning the land. (lot's o'metaphors phor you.)
You didn't choose NOT to run a Microsoft Product, you chose to waiste money on supporting a government that is just as unruely and unjust as any corporation that exists. Fear the capitalism? them move somewhere else or leave it be. DON'T take my choice!
Capitalism needs a free market to function properly, when a company, say in a Monopoly position, abuses that power, if fscks up the market. Study the history of capitalism if you don't believe that.
If the INFORMATION is free, why would you NEED support?
Because knowledge and information are two different things.
--
Say hi to the folks on k22320inchfan for me!
--